Re: Custom GPG key for custom mirror within debian-installer

To: Geert Stappers <stappers@stappers.nl>
Cc: debian-boot@lists.debian.org
Subject: Re: Custom GPG key for custom mirror within debian-installer
From: Robert Paschedag <robert.paschedag@web.de>
Date: Sat, 05 Oct 2019 18:52:22 +0200
Message-id: <[🔎] c6b9686e-4086-4d8b-b84a-09e284f4641a@web.de>
In-reply-to: <[🔎] 20191004201655.ee6vtla7o2jrzb45@gpm.stappers.nl>
References: <[🔎] trinity-68abeca2-bf68-49a9-9de8-ba3dbd4ed29d-1570200040584@3c-app-webde-bap55> <[🔎] 20191004201655.ee6vtla7o2jrzb45@gpm.stappers.nl>

The ability to add a custom gpg key into the chroot within "/target" would be just fine.

Robert

⁣sent from my mobile device


-------- Originale Nachricht --------
Von: Geert Stappers <stappers@stappers.nl>
Gesendet: Fri Oct 04 22:16:55 GMT+02:00 2019
An: debian-boot@lists.debian.org
Betreff: Re: Custom GPG key for custom mirror within debian-installer

On Fri, Oct 04, 2019 at 04:40:40PM +0200, Robert Paschedag wrote:
> Hi list,
> 
> I'm a bit stuck in installing buster via netinst.
> 
> Previously, I used the normal installation DVD as source and provided that as a "mirror" with
> the preseed configuration (via a webserver)
> 
> Since buster, this does not work anymore as "apt" now requires the repositories to be signed,
> which - of course - is a good idea.
> 
> The problem is, that I'm unable to set a custom gpg key for a custom mirror, as I'm able to
> specify a custom GPG key for a "local" repository (bug just fixed within 10.1 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774)).
> 
> AND.....setting "allow_unauthenticated" to true does NOT work. I have this set already.
> 
> What "would" work (not that beautiful) is
> 
> - set the "custom" mirror as "[trusted=yes]" within https://salsa.debian.org/installer-team/apt-setup/blob/master/generators/50mirror or
> - also add the possibility to add custom GPG keys for a "mirror" (just like for a local repository) or
> - also set "Acquire::AllowInsecureRepositories" to "1" within
>   https://salsa.debian.org/installer-team/base-installer/blob/master/library.sh#L172
> 
> After my setup fails, and enter a "shell", setting the "Acquire::AllowInsecureRepositories" to "true" (1), the "apt-get update"
> succeeds (with warnings present).
> 


I would go for option two:
 - add custom GPG keys for a "mirror" (just like for a local repository)

My approach would be a cpio? file that the bootloader sees as initrd extension.


No, I'm not 100% sure it will lead to succes. It is only based on this
- initrd has GPG information on which (Debian) keys to trust
- bootloaders can fetch multiple initrd files and represent its content
  as single file tree to the kernel


> Any help will be appreciated.

It is what I can offer right now.  Feel free to come with follow-up questions.



Groeten
Geert Stappers
-- 
Leven en laten leven

Reply to:

References:
- Custom GPG key for custom mirror within debian-installer
  - From: "Robert Paschedag" <robert.paschedag@web.de>
- Re: Custom GPG key for custom mirror within debian-installer
  - From: Geert Stappers <stappers@stappers.nl>

Prev by Date: Re: how to setup a small local Debian mirror to install a VM without an internet access
Next by Date: Re: how to setup a small local Debian mirror to install a VM without an internet access
Previous by thread: Re: Custom GPG key for custom mirror within debian-installer
Next by thread: Bug#911560: possible fix / workaround
Index(es):
- Date
- Thread