diff --git a/CONF.sh b/CONF.sh index 8fc185b3..618140b2 100644 --- a/CONF.sh +++ b/CONF.sh @@ -206,6 +206,11 @@ export JIGDO_CHECKSUM="md5" # The path to the keyring file relative to $TDIR/archive-keyring/ #export ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg +# Extra keys that you might want apt to trust. List their fingerprints +# here and debian-cd will grab them from the user's keyring as needed +# (The example here is the buster release key) +#export ARCHIVE_EXTRA_KEYS="80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE" + # By default we use debootstrap --no-check-gpg to find out the minimal set # of packages because there's no reason to not trust the local mirror. But # you can be paranoid and then you need to indicate the keyring to use to diff --git a/Makefile b/Makefile index e2904ff5..19fc4ab0 100755 --- a/Makefile +++ b/Makefile @@ -269,6 +269,9 @@ $(ADIR)/status: $(Q)for ARCH in $(ARCHES); do \ mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \ ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \ + for key in $(ARCHIVE_EXTRA_KEYS); do \ + gpg --export -a $$key >> $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d/$$key.asc; \ + done; \ if [ "$$BACKPORTS"x != ""x ] ; then \ mkdir -p $(ADIR)/$(CODENAME)-backports-$$ARCH/apt/trusted.gpg.d; \ ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-backports-$$ARCH/apt/trusted.gpg.d; \ diff --git a/debian/changelog b/debian/changelog index 2466de80..be9a3521 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,10 @@ debian-cd (3.1.29) UNRELEASED; urgency=medium [ Holger Levsen ] * Drop myself from uploaders. + [ Steve McIntyre ] + * Add easier support for extra archive signing keys - list + fingerprints in ARCHIVE_EXTRA_KEYS + -- Raphaƫl Hertzog Thu, 13 Feb 2020 15:07:42 +0100 debian-cd (3.1.28) unstable; urgency=medium