Bug#851774: Stop using apt-key add to add keys in generators/60local

Package: apt-setup

Version: 1:0.123

Severity: serious

For a long time it's been possible to preseed a local repository that has it's own keyring. However, with the latest changes related to gpg dependencies getting dropped in apt, this is no longer possible.

I'm setting severity as serious as adviced by Julien Cristau on IRC. With the current state of things, in order to install a local repository with a keyring the user needs to somehow create a script that will put the keyring in place before 60local runs, and not preseed the keyring at all. If the keyring is preseeded, *the whole installation will fail* because apt-key add fails which causes 60local to fail, which causes the install base system step to fail.

This is the offending code:

https://sources.debian.net/src/apt-setup/1:0.123/generators/60local/#L33

This is using the deprecated apt-key add functionality. From the apt-key manpage:

COMMANDS

add filename

(...)

Note: Instead of using this command a keyring should be placed directly in the /etc/apt/trusted.gpg.d/ directory with a descriptive name and either "gpg" or "asc" as file extension.

So, the right thing to do is to copy the file to the right path instead of calling apt-key add with it.

This was fixed in pbuilder back in September:

pbuilder (0.226.1) unstable; urgency=medium

[ James Clarke ]

* modules: add_additional_aptkeyrings:

Copy keyrings to /etc/apt/trusted.gpg.d instead of using apt-key.

We can no longer rely on being able to use apt-key in a minimal chroot,

because gnupg has been demoted to a Recommends in apt. Instead, the

keyrings can be copied directly into /etc/apt/trusted.gpg.d.

Moreover, `apt-key` usage has been discuraged over the past years.

This means that using the APTKEYRINGS option of pbuilder won't actually

work with chroots older than squeeze (APT version 0.7.25.1)

Regards,

Marga