Control: tag -1 + pending Quoting Johannes Schauer (2019-11-29 08:02:26) > > I know. The situation is actually worse. The problem is, that apt only > > allows a single keyring file or directory. This means that we cannot have > > apt use the keyrings on the host and any manually specified keyrings at the > > same time. This is a problem. > > > > A solution would be to copy all keyring material from the host plus all > > additionally specified keys into the chroot. But this would dirty the chroot > > with all kinds of keyrings from the host, many of which are probably not > > meant > > to end up in every chroot the user creates. > > > > I'm still thinking about the right solution to this problem... > > okay, I think I have a solution that might fix all of this. > > By default, when not manually passing a string like "deb http://... dist comp" > as a MIRROR argument, mmdebstrap will add the signed-by option to the > sources.list for known distributions. This would mean that for Debian, Ubuntu, > Taglu und Kali, apt would automatically choose the single right key file from > /usr/share/keyrings instead of using /etc/apt/trusted.gpg. > > Since apt only supports only a single Dir::Etc::Trusted or > Dir::Etc::TrustedParts option, the --keyring option can be made to override > the > default of /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d, respectively. > > Alternatively, (but this already works today) the user can always use the > MIRROR argument together with the signed-by option to pass a custom keyring > location for a specific mirror. > > I think this should cover all possible use-cases.
This is fixed in this commit: https://gitlab.mister-muffin.de/josch/mmdebstrap/commit/e6d5d74d870188597ad3383091a75083fbf86518 the current text for the --keyring option from the man page: --keyring=file|directory Change the default keyring to use by apt. By default, /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d are used. Depending on whether a file or directory is passed to this option, the former and latter default can be changed, respectively. Since apt only supports a single keyring file and directory, respectively, you can not use this option to pass multiple files and/or directories. Using the "--keyring" argument in the following way is equal to keeping the default: --keyring=/etc/apt/trusted.gpg --keyring=/etc/apt/trusted.gpg.d If you need to pass multiple keyrings, use the "signed-by" option when specifying the mirror like this: mmdebstrap mysuite out.tar "deb [signed-by=/path/to/key.gpg] http://..."; The "signed-by" option will automatically be added to the final "sources.list" if the keyring required for the selected SUITE is not yet trusted by apt. Automatically adding the "signed-by" option in these cases requires "gpg" to be installed. If "gpg" and "ubuntu-archive-keyring" are installed, then you can create a Ubuntu Bionic chroot on Debian like this: mmdebstrap bionic ubuntu-bionic.tar The resulting chroot will have a "source.list" with a "signed-by" option pointing to /usr/share/keyrings/ubuntu-archive-keyring.gpg.
signature.asc
Description: signature
