salsa-ci: Ensure that our local sources.list has a [signed-by=...]
Having reported #1091679 it became apparent that the problem relates to repos that are missing a signed-by setting, which means that it can be fixed by editing the code that creates the sources.list.udeb.local in salsa.yml, thus avoiding the need to touch any of the actual code in D-I.
However, this does suggest that we'll need to make a similar change to gen-sources.list.udeb at some point -- I still don't see why the same bug is not already hitting when sources.list.udeb is in use :-/
earlier description follows:
Without this apt 2.9.19 fails, complaining that: .../build/apt.udeb/etc/apt/trusted.gpg.d is not a directory, and that it cannot verify signatures because no keyring is specified.
Hello @philh,
I've been working on the d-i upload for Trixie Alpha 1 for a number of days, was waiting for a final package to go through (I'll spare you the details) with everything staged, only to find a change I didn't quite understand. Since my basic approach in that case of situation is “I want fewer moving pieces, not more”, I've moved that aside in a branch. This MR is about not forgetting it.
I haven't seen any issues regarding “trusted.gpg.d” in either regular builds (dpkg-buildpackage or cowbuilder before uploading, or sbuild on buildds) or in daily builds on porterboxes. I haven't had any issues when stashing local packages (pre-upload) under build/localudebs either, they've been used successfully.
What I'm aware of is something that looks different:
W: https://deb.debian.org/debian/dists/unstable/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg). Use Signed-By instead. See the USER CONFIGURATION section in apt-secure(8) for details.(And that's not quite new, i.e. not tied to the recent apt update.)
So could you tell a bit more about the context that required that change, and what errors go away?
Also, it'd be best to have self-documenting commits (i.e. adding a debian/changelog entry).
Thanks.