Tweak logic to handle keyring for APT and debootstrap

Use ARCHIVE_KEYRING_PACKAGE and ARCHIVE_KEYRING_FILE parameters
and always use the unpacked keyring instead of the system-wide one.

Thanks to Robert Spencer <rspencer@lbsd.net> for the patch.

CONF.sh

@@ -51,6 +51,8 @@ unset OMIT_RELEASE_NOTES || true
 unset OMIT_DOC_TOOLS     || true
 unset MAX_PKG_SIZE       || true
 unset DEBOOTSTRAP_OPTS   || true
+unset ARCHIVE_KEYRING_PACKAGE || true
+unset ARCHIVE_KEYRING_FILE    || true
 
 # The debian-cd dir
 # Where I am (hoping I'm in the debian-cd dir)
@@ -179,15 +181,16 @@ export CONTRIB=1
 #export amd64_MKISOFS="xorriso"
 #export amd64_MKISOFS_OPTS="-as mkisofs -r -checksum_algorithm_iso md5,sha1"
 
+# Keyring (defaults):
+#ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+# The path to the keyring file relative to $TDIR/archive-keyring/
+#ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
+
 # By default we use debootstrap --no-check-gpg to find out the minimal set
 # of packages because there's no reason to not trust the local mirror. But
 # you can be paranoid and then you need to indicate the keyring to use to
 # validate the mirror.
-#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
-
-# Indicate the package which contains the keyrings needed so that APT
-# doesn't complain about unsigned package.
-#export ARCHIVE_KEYRING="debian-archive-keyring"
+#export DEBOOTSTRAP_OPTS="--keyring $TDIR/archive-keyring/$ARCHIVE_KEYRING_FILE"
 
 # ISOLinux support for multiboot on CD1 for i386
 export ISOLINUX=1

Makefile

@@ -37,8 +37,11 @@ endif
 ifndef HOOK
 HOOK=$(BASEDIR)/tools/$(CODENAME).hook
 endif
-ifndef ARCHIVE_KEYRING
-ARCHIVE_KEYRING=debian-archive-keyring
+ifndef ARCHIVE_KEYRING_PACKAGE
+ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+endif
+ifndef ARCHIVE_KEYRING_FILE
+ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
 endif
 
 export BUILD_DATE=$(shell date -u +%Y%m%d-%H:%M)
@@ -232,10 +235,10 @@ $(ADIR)/status:
 	# Set up keyring so apt doesn't complain
 	@echo "Setting up archive-keyring"
 	$(Q)mkdir -p $(TDIR)/archive-keyring
-	$(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING)) $(TDIR)/archive-keyring
+	$(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING_PACKAGE)) $(TDIR)/archive-keyring
 	$(Q)for ARCH in $(ARCHES); do \
 		mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
-		ln -s $(TDIR)/archive-keyring/usr/share/keyrings/* $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
+		ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
 	done
 
 	# Updating the apt database

debian/changelog

@@ -1,8 +1,9 @@
 debian-cd (3.1.13) UNRELEASED; urgency=low
 
   [ Robert Spencer ]
-  * Use ARCHIVE_KEYRING parameter to not hardcode debian-archive-keyring
-    and let derivatives use their own keyring package.
+  * Use ARCHIVE_KEYRING_PACKAGE and ARCHIVE_KEYRING_FILE parameters to
+    not hardcode debian-archive-keyring and let derivatives use their
+    own keyring.
 
  -- Raphaël Hertzog <hertzog@debian.org>  Fri, 12 Apr 2013 10:32:56 +0200