diff mbox series

[1/2] add variables to inject config into mmdebstrap

Message ID 20260306160255.1017503-2-felix.moessbauer@siemens.com
State Priority Review
Headers show
Series Restore bootstrapping of raspios on trixie host | expand

Commit Message

Felix Moessbauer March 6, 2026, 4:02 p.m. UTC 
When working with old repos, signing keys might be used which are not
considered secure by the host apt (which is used during ``mmdebstrap``),
either due to the keys expiry date or due to insecure signature
algorithms. To work around this, we introduce the variables
``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``. While the former
provides an argument to disable the key expiry checking, the latter
allows users to inject custom options into ``mmdebstrap``.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
 RECIPE-API-CHANGELOG.md                                | 10 ++++++++++
 .../isar-mmdebstrap/isar-mmdebstrap-target.bb          |  1 +
 meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc  |  7 +++++++
 3 files changed, 18 insertions(+)
diff mbox series

Patch

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 0bad8a44..e44b4b9d 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -962,3 +962,13 @@  INSTALLER_UNATTENDED_ABORT_ENABLE = "1"
 # Optional: set countdown timeout in seconds (default 5)
 INSTALLER_UNATTENDED_ABORT_TIMEOUT = "5"
 ```
+
+### Working with old and unofficial debian repos
+
+When working with old repos, signing keys might be used which are not considered
+secure by the host apt (which is used during ``mmdebstrap``), either due to the
+keys expiry date or due to insecure signature algorithms. To work around this,
+we introduce the variables ``MMAPTOPT_NOEXPKEYSIGN`` and ``DISTRO_MM_OPTS``.
+While the former provides an argument to disable the key expiry checking, the
+latter allows users to inject custom options into ``mmdebstrap``. For details,
+see ``man mmdebstrap``. Use with care!
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
index 227ff04c..a9695d44 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap-target.bb
@@ -8,6 +8,7 @@ 
 Description = "Minimal target Debian root file system"
 
 DEPLOY_ISAR_BOOTSTRAP = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}"
+MMOPTS ?= "${DISTRO_MM_OPTS}"
 
 PROVIDES += "bootstrap-target"
 
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index ce34245f..6c2cb170 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -22,6 +22,12 @@  DPKG_HOOKS ?= "${@'--hook-dir='+d.getVar('MM_HOOK_JESSIE') \
 MMHOOKS:focal ?= "${DPKG_HOOKS}"
 MMHOOKS:buster ?= "${DPKG_HOOKS}"
 
+# disable key expiration checking during bootstrapping
+# this also works around the blocking of Sha1 keys when using old repos
+# https://wiki.debian.org/Teams/Apt/Sha1Removal
+MMAPTOPT_NOEXPKEYSIGN = "--aptopt='Apt::Key::gpgvcommand \"/usr/libexec/mmdebstrap/gpgvnoexpkeysig\"'"
+MMOPTS ?= ""
+
 DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
 
 def get_distro_have_https_source(d):
@@ -236,6 +242,7 @@  do_bootstrap() {
                    --customize-hook='chroot "$1" /usr/bin/apt-get -y clean' \
                    --skip=cleanup/apt \
                    --skip=download/empty \
+                   ${MMOPTS} \
                    ${@get_apt_opts(d, '--aptopt')} \
                    ${@get_distro_components_argument(d)} \
                    "${@get_distro_suite(d)}" \