On Thu, 12 Jun 2014 19:43:56 +0100
Wookey <wookey@wookware.org> wrote:
> +++ Christoph Anton Mitterer [2014-06-12 01:06 +0200]:
> > - [c]debootstrap
> > I think they both default now to verify signatures (which is a good
> > thing)... but IIRC, debootstrap also defaults to not verify
> > anything... if the keyrings aren't installed - admittedly this is
> > unlikely... but possible...
>
> I found that I could not get debootstrap to do verified downloads from
> debian-ports with a debian-ports key. Whatever I did with apt-key,
> keys and --keyring options, it just said that the key was unavailable
> and stopped. Nice and secure, but useless, so I've had to use
> sudo debootstrap --no-check-gpg unstable debian-arm64
> http://ftp.debian-ports.org/debian in the meantime.
>
> So it does default to signed downloads and SFAIK will always do this
> wether or not any keys are installed/available, unless explicitly
> disabled.
>
> And yes I should report a bug but have failed to do so thus far.
>
> If someone can tell me what I'm doing wrong that would improve the
> security of this particular usage :-)
>
This works for me:
sudo apt install debian-ports-archive-keyring
sudo apt-key add /usr/share/keyrings/debian-ports-archive-keyring.gpg
sudo debootstrap --variant=buildd --foreign --arch=arm64 --keyring /usr/share/keyrings/
debian-ports-archive-keyring.gpg sid arm64-sid http://ftp.de.debian.org/debian-ports
Make sure apt-key list shows something including:
/etc/apt/trusted.gpg.d/debian-ports-archive-2014.gpg
----------------------------------------------------
pub 4096R/623DB0B8 2014-01-16 [expires: 2015-01-31]
uid Debian Ports Archive Automatic Signing Key (2014) <ftpmaster@debian-ports.org>
--
Neil Williams
=============
http://www.linux.codehelp.co.uk/
Attachment:
signature.asc
Description: PGP signature