From: Michael Prokop <mika@grml.org>
Date: Fri, 3 Dec 2021 12:08:52 +0000 (+0100)
Subject: Fix Grml repository usage
X-Git-Tag: v0.100~2
X-Git-Url: https://git.grml.org/?p=grml-debootstrap.git;a=commitdiff_plain;h=ea978f623109baa1d686f90d200cb50fd2d3fdff;hp=ea978f623109baa1d686f90d200cb50fd2d3fdff

Fix Grml repository usage

More recent versions of apt no longer accept unsigned repositories, and fail with:

| The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| Reading package lists... Done
| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| E: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Updating from such a repository can't be done securely, and is therefore disabled by default.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

By enabling the Acquire::AllowInsecureRepositories=1 option, we can avoid this failure:

| W: GPG error: http://deb.grml.org grml-stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 21E0CA38EA2EA4AB
| W: The repository 'http://deb.grml.org grml-stable InRelease' is not signed.
| N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
| N: See apt-secure(8) manpage for repository creation and user configuration details.

While at it:

* simplify code
* don't check for "grml" inside /etc/apt/sources.list.d/grml.list,
  instead assume the file was set up as needed if it exists already
* improve apt pinning configuration:
  - no need to pin Grml *and* Debian repositories, instead let's
    set up only the Grml repository and reduce it to a pinning of 100
  - use /etc/apt/preferences.d/grml.pref instead of /etc/apt/preferences
* drop direct gpg usage, this is error prone (gpg keyservers known to be
  unavailable, we might not have gpg executable available, its code is
  fallback and untested,...)
* set up Grml's apt configuration with usage of
  "signed-by=/usr/share/keyrings/grml-archive-keyring.gpg"

Thanks: Karl Voit for the bug report
Closes: grml/grml-debootstrap#187
---