Stuffing bootstrapping of archive-keys for derivatives into lb_config, it's not a runtime thing and its logic should not be embedded in live-build but the config directory.

scripts/build/bootstrap

@@ -53,7 +53,6 @@ lb chroot_resolv install ${@}
 lb chroot_hostname install ${@}
 lb chroot_apt install ${@}
 
-lb bootstrap_archive-keys ${@}
 lb bootstrap_archives binary ${@}
 lb bootstrap_hooks ${@}
 

scripts/build/bootstrap_archive-keys

@@ -1,115 +0,0 @@
-#!/bin/sh
-
-## live-build(7) - System Build Scripts
-## Copyright (C) 2006-2013 Daniel Baumann <mail@daniel-baumann.ch>
-##
-## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
-## This is free software, and you are welcome to redistribute it
-## under certain conditions; see COPYING for details.
-
-
-set -e
-
-# Including common functions
-[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
-
-# Setting static variables
-DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')"
-HELP=""
-USAGE="${PROGRAM} [--force]"
-
-Arguments "${@}"
-
-# Reading configuration files
-Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
-Set_defaults
-
-# TODO: allow verification against user-specified keyring
-# For now, we'll only validate against debian-keyring
-
-# TODO2: use chrooted validation rather than host system based one
-
-case "${LB_MODE}" in
-	progress-linux)
-		case "${LB_DISTRIBUTION}" in
-			artax)
-				_KEYS="1-artax"
-				;;
-
-			artax-backports)
-				_KEYS="1-artax 1+-artax-backports"
-				;;
-
-			baureo)
-				_KEYS="2-baureo"
-				;;
-
-			baureo-backports)
-				_KEYS="2-baureo 2+-baureo-backports"
-				;;
-
-			chairon)
-				_KEYS="3-chairon"
-				;;
-
-			chairon-backports)
-				_KEYS="3-chairon 3+-chairon-backports"
-				;;
-		esac
-
-		_URL="${LB_MIRROR_CHROOT}/project/keys"
-		;;
-esac
-
-for _KEY in ${_KEYS}
-do
-	Echo_message "Fetching archive-key ${_KEY}..."
-
-	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
-	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig
-
-	if [ -e /usr/bin/gpgv ]
-	then
-		if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
-		then
-			_KEY_VALID=""
-
-			for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
-			do
-				if [ -e "${_KEYRING}" ]
-				then
-					Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..."
-
-					set +e
-					/usr/bin/gpgv --quiet --keyring ${_KEYRING} chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 && _KEY_VALID="true" && break
-					set -e
-				fi
-			done
-
-			case "${_KEY_VALID}" in
-				true)
-					Echo_message "Verifying ${_KEY} signature successful."
-					;;
-
-				*)
-					Echo_error "Verifying ${_KEY} signature failed."
-					return 1
-					;;
-			esac
-		else
-			Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."
-		fi
-	else
-		Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."
-	fi
-
-	Echo_message "Importing archive-key ${_KEY}..."
-
-	Chroot chroot "apt-key add key.asc"
-	rm -f chroot/key.asc chroot/key.asc.sig
-done
-
-Chroot chroot "apt-get update"
-
-# Creating stage file
-Create_stagefile .build/bootstrap_archive-keys

scripts/build/config

@@ -1357,6 +1357,8 @@ then
 	Echo_warning "Make sure you are using the newest version at all times."
 fi
 
+Echo_message "Symlinking hooks..."
+
 for _HOOK in "${LIVE_BUILD}"/share/hooks/*.hook* /usr/share/live/build/hooks/*.hook*
 do
 	if [ -e "${_HOOK}" ] && [ ! -e "config/hooks/$(basename ${_HOOK})" ]
@@ -1393,5 +1395,89 @@ Name: ${LIVE_IMAGE_NAME}
 Type: ${LIVE_IMAGE_TYPE}
 EOF
 
+# TODO: allow verification against user-specified keyring
+# For now, we'll only validate against debian-keyring
+
+# TODO2: use chrooted validation rather than host system based one
+
+case "${LB_MODE}" in
+	progress-linux)
+		case "${LB_DISTRIBUTION}" in
+			artax)
+				_KEYS="1-artax"
+				;;
+
+			artax-backports)
+				_KEYS="1-artax 1+-artax-backports"
+				;;
+
+			baureo)
+				_KEYS="2-baureo"
+				;;
+
+			baureo-backports)
+				_KEYS="2-baureo 2+-baureo-backports"
+				;;
+
+			chairon)
+				_KEYS="3-chairon"
+				;;
+
+			chairon-backports)
+				_KEYS="3-chairon 3+-chairon-backports"
+				;;
+		esac
+
+		_URL="${LB_MIRROR_CHROOT}/project/keys"
+		;;
+
+	*)
+		_KEYS=""
+		;;
+esac
+
+for _KEY in ${_KEYS}
+do
+	Echo_message "Fetching archive-key ${_KEY}..."
+
+	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc" -O config/archives/${LB_MODE}.bootstrap.key
+	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc.sig" -O config/archives/${LB_MODE}.bootstrap.key.sig
+
+	if [ -e /usr/bin/gpgv ]
+	then
+		if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
+		then
+			_KEY_VALID=""
+
+			for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
+			do
+				if [ -e "${_KEYRING}" ]
+				then
+					Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..."
+
+					set +e
+					/usr/bin/gpgv --quiet --keyring ${_KEYRING} config/archives/${LB_MODE}.key.sig config/archives/${LB_MODE}.key > /dev/null 2>&1 && _KEY_VALID="true" && break
+					set -e
+				fi
+			done
+
+			case "${_KEY_VALID}" in
+				true)
+					Echo_message "Verifying ${_KEY} signature successful."
+					;;
+
+				*)
+					Echo_error "Verifying ${_KEY} signature failed."
+					return 1
+					;;
+			esac
+		else
+			Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."
+		fi
+	else
+		Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."
+	fi
+done
+
 # Creating stage file
 Create_stagefile .build/config