Hi,
On Wed, 13 Nov 2019 18:53:28 +0100 Johannes Schauer <jo...@debian.org> wrote:
> Quoting Benjamin Drung (2019-11-13 18:47:09)
> > Thanks for implementing it. Specifying --keyring before --aptopt fails:
> >
> > mmdebstrap --keyring=/usr/share/keyrings/debian-archive-keyring.gpg \
> > -v --aptopt='Acquire::http { Proxy "123"; }' \
> > buster /tmp/buster.tar.xz
> I know. The situation is actually worse. The problem is, that apt only allows
> a
> single keyring file or directory. This means that we cannot have apt use the
> keyrings on the host and any manually specified keyrings at the same time.
> This
> is a problem.
>
> A solution would be to copy all keyring material from the host plus all
> additionally specified keys into the chroot. But this would dirty the chroot
> with all kinds of keyrings from the host, many of which are probably not meant
> to end up in every chroot the user creates.
>
> I'm still thinking about the right solution to this problem...okay, I think I have a solution that might fix all of this. By default, when not manually passing a string like "deb http://... dist comp" as a MIRROR argument, mmdebstrap will add the signed-by option to the sources.list for known distributions. This would mean that for Debian, Ubuntu, Taglu und Kali, apt would automatically choose the single right key file from /usr/share/keyrings instead of using /etc/apt/trusted.gpg. Since apt only supports only a single Dir::Etc::Trusted or Dir::Etc::TrustedParts option, the --keyring option can be made to override the default of /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d, respectively. Alternatively, (but this already works today) the user can always use the MIRROR argument together with the signed-by option to pass a custom keyring location for a specific mirror. I think this should cover all possible use-cases. Thanks! cheers, josch
signature.asc
Description: signature
