Johannes Schauer Marin Rodrigues <jo...@debian.org> writes:
> The weirdest thing about your bug is that copying your key to
> /etc/apt/trusted.gpg.d/ makes it work for you because when you changed the
> location of Dir::Etc::TrustedParts it just pointed to a different directory.
> Apt should not treat keys differently just because the path to them looks
> different...
Hi Josch. Thanks for looking into this. You're right, it sounds weird
that apt would care about the name of the directory, so I just poked at
it again.
It's not actually that weird; I just wasn't looking at the error
messages closely enough. The /etc/apt/sources.list has two repos:
- main bookworm repo. Signed with the Debian keys
- my repo. Signed with its own key
If I "mmdebstrap --keyring MY-KEY-DIRECTORY" then apt actually does find
the keys to my repo, and it's happy about it. The problem is that it
then doesn't look in /etc/apt/trusted.gpg.d and it thinks the main
bookworm repo is unverifiable. So there's no mystery here, but my use
case still doesn't work. Some questions, if I may:
- By default apt has /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*.
Which of these is expected to contain the keys for Debian?
- I want mmdebstrap to use the extra repo and the keys, so what's the
right way to do that? I guess I need to:
- Create new key directory
- Copy /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/* and my new
keys into it
- Pass that to mmdebstrap --keyring
- Add my new keys into the chroot with an mmdebstrap hook so that
these are available inside the chroot
Is that right? If so, can we make this explicit in the manpage?
Thank you very much!
