From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6658246660386193408 X-Received: by 2002:a1c:761a:: with SMTP id r26mr680223wmc.1.1550667123829; Wed, 20 Feb 2019 04:52:03 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a7b:ce03:: with SMTP id m3ls807326wmc.10.canary-gmail; Wed, 20 Feb 2019 04:52:03 -0800 (PST) X-Google-Smtp-Source: AHgI3IZB6J0jpBFg1oCN9Nnnpp/ACrXc9gtbFDc/pAljLzU07dDG5NzpxrMIa94bLmoKXAUdHsyl X-Received: by 2002:a1c:1a4a:: with SMTP id a71mr598492wma.21.1550667123384; Wed, 20 Feb 2019 04:52:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550667123; cv=none; d=google.com; s=arc-20160816; b=xpAqlZJYNNF1F1JkSBwZu5VxbWs9SIwnjtUDdgc1MRxbvViQBGafXGnd0Ecsn8qW8W A6rc+v3mP1puxEcdFhQEnBgvwd0YDise1zKdjW63wDt5NtmHKVkoQQ7QZq8CXQgUVgpl Z1Jyhq5kWKqKhHEw5jFKz7/rmhl9cCKJpUwwIl5hJOZfxgf81L6ZhYvJzS5H3GebH89E J1n8opE4RdGBOCbLOVv4kR7IDdXytMCExZOvZMEDA9YjiV1ej8R1tfRyOlVUNdT550Y/ Ss6JBwAs1t6MK91A1eBzK8P1Aga9IkOHGrVO0wIbGeKE3BLP5YvCr2z0qTKc1TpTtnr6 Nztg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:organization:from:references:to:subject; bh=tU31V5VuVVMIQgC9kUnVi0D3Z3LJrnMDKsOSCwUpIiI=; b=Eiy+qVeJFRLWjFSrMETdRIgFQHk4r3G2rfoP+xls6DSvcUg85qjjA6V/BSt5ggny11 NCKy6vAVPv4QgQYLGtnoOSrlzT/4bOum9Ext9e5qEUUi+W0+EvsCyda0XUyNje22tw6D uD4uZvItIAMQcphxrlivIZGDktsFZi613pjAZOJhUMF/mWmnM4d3P4Ywmrn+fHJGqaad /ZblP67GvpRDmDo+5izJ/lhbymOB/bZAeAMydEgX2BjNs8YkZrZx7qfdC884AWowjBuh t04/zqI7thoygOGtkylw+KfC14MBNM5QUcAFNkLoae9qpgIgQghShb6/2vy7Aajwdum6 arpA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of mosipov@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id b8si576567wru.1.2019.02.20.04.52.03 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Feb 2019 04:52:03 -0800 (PST) Received-SPF: pass (google.com: domain of mosipov@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of mosipov@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Received: from [192.168.0.18] ([46.39.55.92]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8) with ESMTPSA id x1KCq15A023772 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 20 Feb 2019 13:52:01 +0100 Subject: Re: Additional debian repo with different pgp key To: Andreas Reichel , isar-users@googlegroups.com References: <20190215151608.GA5175@iiotirae> From: "Maxim Yu. Osipov" Organization: ilbers GmbH Message-ID: Date: Wed, 20 Feb 2019 15:52:02 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <20190215151608.GA5175@iiotirae> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: YRK3/rBFRQHe Hi Andreas. This is known problem - I've faced it when tried to add signed repo https://obs.linaro.org/project/show/linaro-overlay-stretch (this is not full debian repo - it just contains some linaro packages). DISTRO_APT_KEYS doesn't fit this requirement as is used only as primary repo and passed directly to debootstrap overriding default keyring. --keyring=KEYRING Override the default keyring for the distribution being bootstrapped, and use KEYRING to check signatures of retrieved Release files. Patches are welcomed. Maxim. On 2/15/19 4:16 PM, Andreas Reichel wrote: > Hi, > > I have a problem with using a separate docker repository together with > its key. > > As far as I understood it, I have to do the following: > > 1st, create a list file which mentions the docker repository: > > So I created a docker-stretch.list, where I have the line > > ---- > deb http://download.docker.com/linux/debian stretch stable > ---- > > This file is added via > > ---- > DISTRO_APT_SOURCES_append = " conf/distro/docker-stretch.list" > ---- > > which is working. > > Then I add the `docker-ce` package to `IMAGE_PREINSTALL` which does not > work because the package is untrusted. Therefore I have to import the > pgp key, which I should be able to do with > > 2nd: add the key to apt keys: > > ---- > DISTRO_APT_KEYS_append = " https://download.docker.com/linux/debian/gpg;sha256sum=1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570" > ---- > > However, then I get the following error: > > ---- > | DEBUG: Executing shell function do_generate_keyring > | gpg: WARNING: unsafe permissions on homedir '/build/build/downloads' > | gpg: keybox '/build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg' created > | gpg: can't open '/build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/linux/debian/gpg': No such file or directory > | gpg: Total number processed: 0 > | WARNING: exit code 2 from a shell command. > > ---- > > It seems, that the last part of the URL is appended to the working > directory. But the resulting directory does not exist. What is the > intended course of action for this standard scenario to use another > debian repo for image building? > > Last patch I saw on next was about local keys. But standard should be > remote keys with URI I think, because every repo that needs one should > provide one this way... am I wrong? > > vG > Andreas > -- Maxim Osipov ilbers GmbH Maria-Merian-Str. 8 85521 Ottobrunn Germany +49 (151) 6517 6917 mosipov@ilbers.de http://ilbers.de/ Commercial register Munich, HRB 214197 General Manager: Baurzhan Ismagulov