From e36caade11a2194e361cfa00f6dc837455ade024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Taavi=20V=C3=A4=C3=A4n=C3=A4nen?= <hi@taavi.wtf>
Date: Tue, 21 Feb 2023 02:15:09 +0200
Subject: [PATCH] images/debian: follow modern third-party repository
 conventions

Updates the Debian image to match modern conventions:
 * Use a separate file in /etc/apt/sources.list.d per each repository
   instead of adding everything to sources.list.
 * Instead of using trusted.gpg.d, add each repository key to
   /etc/apt/keyrings.d and set the signed-by option on the sources.list
   entry.
 * Drop use of apt-key in the installation.

These are based on this document: https://wiki.debian.org/DebianRepository/UseThirdParty
---
 images/debian/functions | 16 +++++++++++-----
 images/debian/genimg    |  1 -
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/images/debian/functions b/images/debian/functions
index 058e076..6e6341c 100644
--- a/images/debian/functions
+++ b/images/debian/functions
@@ -52,6 +52,7 @@ add_repository() {
 	distro=$(echo $src | cut -d' ' -f2)
 	cmpnt=$(echo $src | cut -d' ' -f3)
 	key=$(echo $src | cut -d' ' -f4)
+	signed_by=""
 	if [ "$key" != "" ]
 	then
 		# Import the GPG key into a user trustdb
@@ -60,16 +61,21 @@ add_repository() {
 			--keyserver hkp://keyserver.ubuntu.com:80 \
 			--recv-keys $key
 
+		guest_ssh -p $port build@localhost sudo \
+			mkdir -pm 0755 /etc/apt/keyrings
+
 		# Export the GPG key to Apt's key directory
 		guest_ssh -p $port build@localhost sudo \
 			gpg \
-			--output /etc/apt/trusted.gpg.d/$key.gpg \
+			--output /etc/apt/keyrings/$name.gpg \
 			--export $key
+
+		signed_by="[signed-by=/etc/apt/keyrings/$name.gpg]"
 	fi
-	printf 'deb %s %s %s\n' "$repo" "$distro" "$cmpnt" \
-		| guest_ssh -p $port build@localhost sudo tee -a /etc/apt/sources.list
-	printf 'deb-src %s %s %s\n' "$repo" "$distro" "$cmpnt" \
-		| guest_ssh -p $port build@localhost sudo tee -a /etc/apt/sources.list
+	printf 'deb %s %s %s %s\n' "$signed_by" "$repo" "$distro" "$cmpnt" \
+		| guest_ssh -p $port build@localhost sudo tee -a /etc/apt/sources.list.d/$name.list
+	printf 'deb-src %s %s %s %s\n' "$signed_by" "$repo" "$distro" "$cmpnt" \
+		| guest_ssh -p $port build@localhost sudo tee -a /etc/apt/sources.list.d/$name.list
 	guest_ssh -p "$port" build@localhost sudo apt-get update
 }
 
diff --git a/images/debian/genimg b/images/debian/genimg
index be72d6a..fff5f1d 100755
--- a/images/debian/genimg
+++ b/images/debian/genimg
@@ -109,7 +109,6 @@ EOF
 
 echo 'APT::Install-Recommends "False";' > /mnt/etc/apt/apt.conf.d/60recommends
 
-run_root apt-key update
 run_root apt-get update
 run_root apt-get -y install locales
 run_root apt-get -y install $kpkg
-- 
2.38.5