Add easier support for extra archive signing keys

Useful when adding local packages

CONF.sh

@@ -206,6 +206,11 @@ export JIGDO_CHECKSUM="md5"
 # The path to the keyring file relative to $TDIR/archive-keyring/
 #export ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
 
+# Extra keys that you might want apt to trust. List their fingerprints
+# here and debian-cd will grab them from the user's keyring as needed
+# (The example here is the buster release key)
+#export ARCHIVE_EXTRA_KEYS="80D15823B7FD1561F9F7BCDDDC30D7C23CBBABEE"
+
 # By default we use debootstrap --no-check-gpg to find out the minimal set
 # of packages because there's no reason to not trust the local mirror. But
 # you can be paranoid and then you need to indicate the keyring to use to

Makefile

@@ -269,6 +269,9 @@ $(ADIR)/status:
 	$(Q)for ARCH in $(ARCHES); do \
 		mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
 		ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
+		for key in $(ARCHIVE_EXTRA_KEYS); do \
+			gpg --export -a $$key >> $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d/$$key.asc; \
+		done; \
 		if [ "$$BACKPORTS"x != ""x ] ; then \
 			mkdir -p $(ADIR)/$(CODENAME)-backports-$$ARCH/apt/trusted.gpg.d; \
 			ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-backports-$$ARCH/apt/trusted.gpg.d; \

debian/changelog

@@ -7,6 +7,10 @@ debian-cd (3.1.29) UNRELEASED; urgency=medium
   [ Holger Levsen ]
   * Drop myself from uploaders.
 
+  [ Steve McIntyre ]
+  * Add easier support for extra archive signing keys - list
+    fingerprints in ARCHIVE_EXTRA_KEYS
+
  -- Raphaël Hertzog <raphael@offensive-security.com>  Thu, 13 Feb 2020 15:07:42 +0100
 
 debian-cd (3.1.28) unstable; urgency=medium