[Adding deity@l.d.o into the loop] On 18.01.2017 17:43, Marga Manterola wrote: > For a long time it's been possible to preseed a local repository that > has it's own keyring. However, with the latest changes related to gpg > dependencies getting dropped in apt, this is no longer possible. > > I'm setting severity as serious as adviced by Julien Cristau on IRC. > With the current state of things, in order to install a local repository > with a keyring the user needs to somehow create a script that will put > the keyring in place before 60local runs, and not preseed the keyring at > all. If the keyring is preseeded, *the whole installation will fail* > because apt-key add fails which causes 60local to fail, which causes the > install base system step to fail. > > This is the offending code: > https://sources.debian.net/src/apt-setup/1:0.123/generators/60local/#L33 > > This is using the deprecated apt-key add functionality. From the > apt-key manpage: > > COMMANDS > add filename > (...) > Note: Instead of using this command a keyring should be > placed directly in the /etc/apt/trusted.gpg.d/ directory with a > descriptive name and either "gpg" or "asc" as file extension. > > So, the right thing to do is to copy the file to the right path instead > of calling apt-key add with it. Does that mean that we actually have to infer (check using grep?) if the file is armored or not? I think `apt-key add' just dealt with whatever it got and put the key into the keyring using gpg's --import function. So it's a little unfortunate that we'd now need to know the format of what we need to put into the fragment directory. Kind regards Philipp Kern
Attachment:
signature.asc
Description: OpenPGP digital signature