Fix Grml repository usage

More recent versions of apt no longer accept unsigned repositories, and fail with:

| The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| Reading package lists... Done
| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| E: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Updating from such a repository can't be done securely, and is therefore disabled by default.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

By enabling the Acquire::AllowInsecureRepositories=1 option, we can avoid this failure:

| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| W: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

While at it:

* simplify code
* don't check for "grml" inside /etc/apt/sources.list.d/grml.list,
  instead assume the file was set up as needed if it exists already
* improve apt pinning configuration:
  - no need to pin Grml *and* Debian repositories, instead let's
    set up only the Grml repository and reduce it to a pinning of 100
  - use /etc/apt/preferences.d/grml.pref instead of /etc/apt/preferences
* drop direct gpg usage, this is error prone (gpg keyservers known to be
  unavailable, we might not have gpg executable available, its code is
  fallback and untested,...)
* set up Grml's apt configuration with usage of
  "signed-by=/usr/share/keyrings/grml-archive-keyring.gpg"

Thanks: Karl Voit for the bug report
Closes: grml/grml-debootstrap#187

diff --git a/chroot-script b/chroot-script
index e59b829..101764d 100755 (executable)
--- a/chroot-script
+++ b/chroot-script
@@ -152,48 +152,46 @@ remove_chrootmirror() {
 
 # set up grml repository {{{
 grmlrepos() {
 
 # set up grml repository {{{
 grmlrepos() {

-  if [ -n "$GRMLREPOS" ] ; then
-     # user might have provided their own apt sources.list
-     if ! grep -q grml /etc/apt/sources.list.d/grml.list 2>/dev/null ; then
-        cat >> /etc/apt/sources.list.d/grml.list << EOF
+  if [ -z "$GRMLREPOS" ] ; then
+    return 0
+  fi
+
+  # user might have provided their own apt sources configuration
+  if [ -r /etc/apt/sources.list.d/grml.list ] ; then
+    echo "File /etc/apt/sources.list.d/grml.list exists already, not modifying."
+  else
+    echo "Setting up /etc/apt/sources.list.d/grml.list."
+    cat > /etc/apt/sources.list.d/grml.list << EOF

 # grml: stable repository:
 # grml: stable repository:

-  deb     http://deb.grml.org/ grml-stable  main
-  deb-src http://deb.grml.org/ grml-stable  main
+  deb     [signed-by=/usr/share/keyrings/grml-archive-keyring.gpg] http://deb.grml.org/ grml-stable main
+  deb-src [signed-by=/usr/share/keyrings/grml-archive-keyring.gpg] http://deb.grml.org/ grml-stable main

 
 # grml: testing/development repository:
 
 # grml: testing/development repository:

-  deb     http://deb.grml.org/ grml-testing main
-  deb-src http://deb.grml.org/ grml-testing main
+  deb     [signed-by=/usr/share/keyrings/grml-archive-keyring.gpg] http://deb.grml.org/ grml-testing main
+  deb-src [signed-by=/usr/share/keyrings/grml-archive-keyring.gpg] http://deb.grml.org/ grml-testing main

 EOF
 EOF

-     fi
-
-     # shellcheck disable=SC2086
-     if apt-get update $DPKG_OPTIONS; then
-       # shellcheck disable=SC2086
-       apt-get -y --allow-unauthenticated install grml-debian-keyring $DPKG_OPTIONS
-       # shellcheck disable=SC2086
-       apt-get update $DPKG_OPTIONS
-     else
-       # make sure we have the keys available for aptitude
-       gpg --keyserver subkeys.pgp.net --recv-keys 709BCE51568573EBC160E590F61E2E7CECDEA787
-       gpg --export 709BCE51568573EBC160E590F61E2E7CECDEA787 | apt-key add - || true # not yet sure
-       # why it's necessary, sometimes we get an error even though it works [mika]
-     fi
-
-     # make sure we install packages from Grml's pool only if not available
-     # from Debian!
-     if ! grep -q grml /etc/apt/preferences 2>/dev/null ; then
-        cat >> /etc/apt/preferences << EOF
-// debian pool (default):
-Package: *
-Pin: release o=Debian
-Pin-Priority: 996
+  fi

 
 

-// main grml-repository:
+  # make sure we install packages from Grml's pool only if not available from Debian
+  if [ -r /etc/apt/preferences.d/grml.pref ] ; then
+    echo "File /etc/apt/preferences.d/grml.pref exists already, not modifying."
+  else
+    echo "Setting up /etc/apt/preferences.d/grml.pref."
+    cat > /etc/apt/preferences.d/grml.pref << EOF
+Explanation: use Grml repository only after Debian ones

 Package: *
 Pin: origin deb.grml.org
 Package: *
 Pin: origin deb.grml.org

-Pin-Priority: 991
+Pin-Priority: 100

 EOF
 EOF

-     fi
+  fi
+
+  apt-get update -o Acquire::AllowInsecureRepositories=1
+  apt-get -y --allow-unauthenticated install grml-debian-keyring
+  apt-get update
+
+  if [ "$(dpkg-query -f "\${db:Status-Status} \${db:Status-Eflag}" -W grml-debian-keyring 2>/dev/null)" != 'installed ok' ]; then
+    echo "Error: installation of grml-debian-keyring failed." >&2
+    exit 1

   fi
 }
 # }}}
   fi
 }
 # }}}