On Thu, 12 Jun 2014 19:43:56 +0100 Wookey <woo...@wookware.org> wrote:
> +++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]: > > - [c]debootstrap > > I think they both default now to verify signatures (which is a good > > thing)... but IIRC, debootstrap also defaults to not verify > > anything... if the keyrings aren't installed - admittedly this is > > unlikely... but possible... > > I found that I could not get debootstrap to do verified downloads from > debian-ports with a debian-ports key. Whatever I did with apt-key, > keys and --keyring options, it just said that the key was unavailable > and stopped. Nice and secure, but useless, so I've had to use > sudo debootstrap --no-check-gpg unstable debian-arm64 > http://ftp.debian-ports.org/debian in the meantime. > > So it does default to signed downloads and SFAIK will always do this > wether or not any keys are installed/available, unless explicitly > disabled. > > And yes I should report a bug but have failed to do so thus far. > > If someone can tell me what I'm doing wrong that would improve the > security of this particular usage :-) > This works for me: sudo apt install debian-ports-archive-keyring sudo apt-key add /usr/share/keyrings/debian-ports-archive-keyring.gpg sudo debootstrap --variant=buildd --foreign --arch=arm64 --keyring /usr/share/keyrings/ debian-ports-archive-keyring.gpg sid arm64-sid http://ftp.de.debian.org/debian-ports Make sure apt-key list shows something including: /etc/apt/trusted.gpg.d/debian-ports-archive-2014.gpg ---------------------------------------------------- pub 4096R/623DB0B8 2014-01-16 [expires: 2015-01-31] uid Debian Ports Archive Automatic Signing Key (2014) <ftpmas...@debian-ports.org> -- Neil Williams ============= http://www.linux.codehelp.co.uk/
signature.asc
Description: PGP signature
