Here's a command to try building from a Raspbian image.
env DEBOOTSTRAP_OPTIONS="--keyring=/usr/share/keyrings/ raspbian-archive-keyring.gpg" lb config \
--archive-areas 'main firmware non-free' \
--distribution jessie \
--chroot-filesystem squashfs \
--architectures armhf \
--bootstrap-qemu-arch armhf \
--bootstrap-qemu-static /usr/bin/qemu-arm-static \
--parent-mirror-bootstrap http://archive.raspbian.org/raspbian \
--parent-mirror-chroot http://archive.raspbian.org/raspbian \
--parent-mirror-chroot-security http://archive.raspbian.org/ raspbian \
--parent-mirror-binary http://archive.raspbian.org/raspbian \
--parent-mirror-binary-security http://archive.raspbian.org/ raspbian \
--mirror-bootstrap http://archive.raspbian.org/raspbian \
--mirror-chroot http://archive.raspbian.org/raspbian \
--mirror-chroot-security http://archive.raspbian.org/raspbian \
--mirror-binary http://archive.raspbian.org/raspbian \
--mirror-binary-security http://archive.raspbian.org/raspbian \
--mirror-debian-installer http://archive.raspbian.org/raspbian
sudo DEBOOTSTRAP_OPTIONS="--keyring=/usr/share/keyrings/ raspbian-archive-keyring.gpg" lb build 2>&1 | tee build.log
Note that you need the raspbian-archive-keyring package[1]. Alternatively, I think there's a different debootstrap option that just ignores the signatures altogether.
Again, no hard feelings if you deem this out of scope, but... maybe it suggests there's a bug in the bootstrapping phase? Because the repos in the chroot seem to not be respecting what I've configured:
$ grep -isr "deb\.debian\.org"
build.log:I: Keyring file not available at /usr/share/keyrings/debian-archive-keyring.gpg; switching to https mirror https://deb.debian.org/debian
chroot/debootstrap/debootstrap:DEF_MIRROR="http:/ /deb.debian.org/debian "
chroot/debootstrap/debootstrap:DEF_HTTPS_MIRROR=" https://deb.debian.org/debian "
(Note that /usr/share/keyrings/debian-archive-keyring.gpg most certainly exists on the host, but maybe it's talking about the chroot.)
I've also noticed that in my "real" project, the bootstrap phase seems to bypass my apt-cacher-ng instance (which is specified as a localhost:3142 URL in those same options). Am I missing some option for making the bootstrapping phase aware of the different repositories?
[1] http://archive.raspbian.org/raspbian/pool/main/r/raspbian- archive-keyring/
- Jason