Hi,

Olaf Meeuwissen <paddy-hack@???> writes:

> Hi,
>
> Mark Hindley <mark@???> writes:
>
>> On Thu, Jun 29, 2023 at 08:30:19PM +0900, Olaf Meeuwissen wrote:
>>> Hi all,
>>>
>>> I got a pile of "package such-and-such migrated to excalibur" in my
>>> mailbox today. Yeay! So I had a go on building a container image for
>>> it, per
>>
>> PLease don't. I was just starting to set it up. It isn't ready and won't work
>> (yet). I expect to have it finished over the weekend.
>
> Ok, I'll wait a bit then. I was just seeing what, if anything, needed
> changes in the scripts I use to build the images.
>
>>> [...]
>>> My migration script grabs the devuan-archive-keyring from
>>>

>>>    https://files.devuan.org/devuan-archive-keyring.gpg

>>>
>>> and that has been working fine for all maintained releases so far.
>>> It looks that file needs to be updated to include a new key (or a
>>> key on that keyring should be used to sign the InRelease file).
>>
>> You need the daedalus version (2023.05.28) of devuan-keyring which
>> includes the correct key.
>
> During migration, I need the key(s) used to sign the Devuan archives
> while still on Debian. And I like to do so in a slightly more secure
> way than installing a devuan-keyring package by telling apt-get to
> --allow-insecure-repositories *and* --allow-unauthenticated.
>
> # Seeing the use of these options suggested in the migration guide[1]
> # made my toes curl ...
> #
> # [1]: https://www.devuan.org/os/documentation/install-guides/chimaera/bullseye-to-chimaera
>
> That's why I use
>

>   curl --silent --location --show-error \
>        --output /etc/apt/trusted.gpg.d/devuan-archive-keyring.gpg \
>        https://files.devuan.org/devuan-archive-keyring.gpg

>
> before switching over the APT sources from Debian to Devuan.
>
> # Pun intended ;-)
>
> Having a single, stable URL to get the keys is extremely convenient for
> this when you are migrating *all* maintained releases whenever there is
> a change in package versions and/or dependencies ;-)
>
> So if the new key(s) can be added that would be much appreciated.
>
> That reminds me, I should add checksumming of that file so attempts to
> fiddle with it do not go unnoticed.
>
> Hmm, I just looked at the two migration scripts that migration guide
> links to and noticed that both use wget to grab the devuan-keyring
> package and dpkg to install it. That might be an alternative but I'd
> need to use different versions of the package for different releases.
> As per pkginfo[2], 2022.09.04 for beowulf and chimaera and 2023.05.28
> for daedalus and ceres (and the upcoming excalibur).
>
> [2]: https://pkginfo.devuan.org/cgi-bin/policy-query.html?c=package&q=devuan-keyring&x=submit

After some research[3], I've decided to add any keys used to sign
InRelease file to the git repository used to build the images.
Saves me from having to checksum in the scripts as well ;-)

[3]: https://git.devuan.org/paddy-hack/container-images/issues/46#issuecomment-2963

I've created a PR[4] and GitLab CI/CD results should be in some time
tomorrow. I still need/want to refactor some of the mucking around with
temporarily installing curl but that for after those results are in.

[4]: https://git.devuan.org/paddy-hack/container-images/pulls/49

BTW, I noticed a devuan-keyring-freia-archive.gpg in 2023.07.01 of the
devuan-keyring package. If Freia has been decided upon than it should
probably be mentioned as having been chosen on

https://beta.devuan.org/os/releases

Hope this helps,
--
Olaf Meeuwissen