Hi josch. Thanks for replying! I just ran your script up to the "apt update", having the shell substitute $1 <- "bookworm" and $2 <- "DIRECTORY_FOR_CHROOT", and adding my new repo:
mkdir -p "$2/etc/apt" "$2/var/cache" "$2/var/lib" cat << END > "$2/apt.conf" Apt::Architecture "$(dpkg --print-architecture)"; Apt::Architectures "$(dpkg --print-architecture)"; Dir "$(cd "$2" && pwd)"; Dir::Etc::Trusted "$(eval "$(apt-config shell v Dir::Etc::Trusted/f)"; printf "$v")"; Dir::Etc::TrustedParts "$(eval "$(apt-config shell v Dir::Etc::TrustedParts/d)"; printf "$v")"; END echo "deb http://deb.debian.org/debian/ $1 main" > "$2/etc/apt/sources.list" echo "deb http://MYREPO $1 main" >> "$2/etc/apt/sources.list" After I do this, DIRECTORY_FOR_CHROOT/apt.conf contains: Apt::Architecture "amd64"; Apt::Architectures "amd64"; Dir "/home/dima/cadre/packaging/bookworm2-tst"; Dir::Etc::Trusted "/etc/apt/trusted.gpg"; Dir::Etc::TrustedParts "/etc/apt/trusted.gpg.d/"; Note that the Trusted keys are in the host, NOT in the chroot, so naturally the "apt update" complains about the missing keys. If I change the last line to Dir::Etc::TrustedParts "MY_KEYRING_DIRECTORY"; then "apt update" still complains. And once again sysdig tells me that it IS actually finding and using my keys. Suggestions? And I have another related question. I can workaround this by copying my keys to /etc/apt/trusted.gpg.d/ on the host. This makes mmdebstrap happy, but the resulting chroot doesn't have my keys in ITS /etc/apt/trusted.gpg.d. So an "apt update" inside the chroot has the same problem as before: complaining that my repo is unverifiable. The docs aren't clear on whether those keys are supposed to be copied or not. Are they? If not, am I supposed to do that manually via an mmdebstrap hook? Thanks
