Hi, On Wed, 13 Nov 2019 18:53:28 +0100 Johannes Schauer <jo...@debian.org> wrote: > Quoting Benjamin Drung (2019-11-13 18:47:09) > > Thanks for implementing it. Specifying --keyring before --aptopt fails: > > > > mmdebstrap --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \ > > -v --aptopt='Acquire::http { Proxy "123"; }' \ > > buster /tmp/buster.tar.xz > I know. The situation is actually worse. The problem is, that apt only allows > a > single keyring file or directory. This means that we cannot have apt use the > keyrings on the host and any manually specified keyrings at the same time. > This > is a problem. > > A solution would be to copy all keyring material from the host plus all > additionally specified keys into the chroot. But this would dirty the chroot > with all kinds of keyrings from the host, many of which are probably not meant > to end up in every chroot the user creates. > > I'm still thinking about the right solution to this problem...
okay, I think I have a solution that might fix all of this. By default, when not manually passing a string like "deb http://... dist comp" as a MIRROR argument, mmdebstrap will add the signed-by option to the sources.list for known distributions. This would mean that for Debian, Ubuntu, Taglu und Kali, apt would automatically choose the single right key file from /usr/share/keyrings instead of using /etc/apt/trusted.gpg. Since apt only supports only a single Dir::Etc::Trusted or Dir::Etc::TrustedParts option, the --keyring option can be made to override the default of /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d, respectively. Alternatively, (but this already works today) the user can always use the MIRROR argument together with the signed-by option to pass a custom keyring location for a specific mirror. I think this should cover all possible use-cases. Thanks! cheers, josch
signature.asc
Description: signature