Johannes Schauer Marin Rodrigues <jo...@debian.org> writes: > The weirdest thing about your bug is that copying your key to > /etc/apt/trusted.gpg.d/ makes it work for you because when you changed the > location of Dir::Etc::TrustedParts it just pointed to a different directory. > Apt should not treat keys differently just because the path to them looks > different...
Hi Josch. Thanks for looking into this. You're right, it sounds weird that apt would care about the name of the directory, so I just poked at it again. It's not actually that weird; I just wasn't looking at the error messages closely enough. The /etc/apt/sources.list has two repos: - main bookworm repo. Signed with the Debian keys - my repo. Signed with its own key If I "mmdebstrap --keyring MY-KEY-DIRECTORY" then apt actually does find the keys to my repo, and it's happy about it. The problem is that it then doesn't look in /etc/apt/trusted.gpg.d and it thinks the main bookworm repo is unverifiable. So there's no mystery here, but my use case still doesn't work. Some questions, if I may: - By default apt has /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/*. Which of these is expected to contain the keys for Debian? - I want mmdebstrap to use the extra repo and the keys, so what's the right way to do that? I guess I need to: - Create new key directory - Copy /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/* and my new keys into it - Pass that to mmdebstrap --keyring - Add my new keys into the chroot with an mmdebstrap hook so that these are available inside the chroot Is that right? If so, can we make this explicit in the manpage? Thank you very much!