Hi,
Quoting Dima Kogan (2023-02-28 22:56:26)
> It's not actually that weird; I just wasn't looking at the error messages
> closely enough. The /etc/apt/sources.list has two repos:
>
> - main bookworm repo. Signed with the Debian keys
> - my repo. Signed with its own key
>
> If I "mmdebstrap --keyring MY-KEY-DIRECTORY" then apt actually does find
> the keys to my repo, and it's happy about it. The problem is that it
> then doesn't look in /etc/apt/trusted.gpg.d and it thinks the main
> bookworm repo is unverifiable. So there's no mystery here, but my use case
> still doesn't work.
ah yes, that makes sense. :)
> Some questions, if I may:
>
> - By default apt has /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*.
> Which of these is expected to contain the keys for Debian?
It seems that /etc/apt/trusted.gpg is a historic relic and keys from it are
removed by the postinst of debian-archive-keyring with the following code
comment next to it:
# remove keys from the trusted.gpg file as they are now shipped in fragment
# files in trusted.gpg.d
> - I want mmdebstrap to use the extra repo and the keys, so what's the right
> way to do that? I guess I need to:
>
> - Create new key directory
>
> - Copy /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/* and my new
> keys into it
>
> - Pass that to mmdebstrap --keyring
>
> - Add my new keys into the chroot with an mmdebstrap hook so that
> these are available inside the chroot
>
> Is that right? If so, can we make this explicit in the manpage?
I probably never should've added the --keyring argument. Its documentation
already states:
> Since apt only supports a single keyring file and directory, respectively,
> you can not use this option to pass multiple files and/or directories.
You can create a directory and copy your keys into it, yes. But the docs for
--keyring also suggest that you use signed-by instead. Is that not a better
solution than copying keys from debian-archive-keyring around? If you use
signed-by you also do not need the --keyring argument anymore.
Though I agree that I should also add some more information to the --keyring
argument. What do you think about the following patch? If that patch does not
answer the questions you've had, please tell me and I improve the patch.
Thanks!
t a/mmdebstrap b/mmdebstrap
index 01d9954..f450049 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -6366,13 +6366,22 @@ Example: Minimizing the number of packages installed
from experimental
=item B<--keyring>=I<file>|I<directory>
-Change the default keyring to use by apt. By default, F</etc/apt/trusted.gpg>
-and F</etc/apt/trusted.gpg.d> are used. Depending on whether a file or
-directory is passed to this option, the former and latter default can be
-changed, respectively. Since apt only supports a single keyring file and
-directory, respectively, you can B<not> use this option to pass multiple files
-and/or directories. Using the C<--keyring> argument in the following way is
-equal to keeping the default:
+Change the default keyring to use by apt during the initial setup. This is
+similar to setting B<Dir::Etc::Trusted> and B<Dir::Etc::TrustedParts> using
+B<--aptopt> except that the latter setting will be permanently stored in the
+chroot while the keyrings passed via <--keyring> will only be visible to apt as
+run by B<mmdebstrap>. Do not use B<--keyring> if apt inside the chroot needs to
+know about your keys after the initial chroot creation by B<mmdebstrap>.
+
+By default, the local setting of B<Dir::Etc::Trusted> and
+B<Dir::Etc::TrustedParts> are used to choose the keyring used by apt as run by
+B<mmdebstrap>. These two locations are set to F</etc/apt/trusted.gpg> and
+F</etc/apt/trusted.gpg.d> by default. Depending on whether a file or directory
+is passed to this option, the former and latter default can be changed,
+respectively. Since apt only supports a single keyring file and directory,
+respectively, you can B<not> use this option to pass multiple files and/or
+directories. Using the C<--keyring> argument in the following way is equal to
+keeping the default:
--keyring=/etc/apt/trusted.gpg --keyring=/etc/apt/trusted.gpg.d
@@ -6381,6 +6390,10 @@ specifying the mirror like this:
mmdebstrap mysuite out.tar "deb [signed-by=/path/to/key.gpg] http://...";
+Another reason to use C<signed-by> instead of B<--keyring> is if apt inside the
+chroot needs to know by what key the repository is signed even after the
+initial chroot creation.
+
The C<signed-by> option will automatically be added to the final
C<sources.list> if the keyring required for the selected I<SUITE> is not yet
trusted by apt. Automatically adding the C<signed-by> option in these cases
@@ -6392,6 +6405,13 @@ installed, then you can create a Ubuntu Bionic chroot on
Debian like this:
The resulting chroot will have a C<source.list> with a C<signed-by> option
pointing to F</usr/share/keyrings/ubuntu-archive-keyring.gpg>.
+You do not need to use B<--keyring> or C<signed-by> if you placed the keys that
+apt needs to know about into F</etc/apt/trusted.gpg.d> in the B<--setup-hook>
+(which is before C<apt update> runs), for example by using the <copy-in>
+special hook. You also need to copy your keys into the chroot explicitly if the
+key you passed via C<signed-by> points to a location that is not otherwise
+populated during chroot creation (for example by installing a keyring package).
+
=item B<--dpkgopt>=I<option>|I<file>
Pass arbitrary I<option>s to dpkg. Will be permanently added to
