Creating a trusted pbuilder environment

pbuilder before 0.207 ignores secure apt's verification warnings, and happily uses untrusted debs to build. Since 0.207 (available since wheezy or squeeze-backports) this is fixed in the default configuration.

For older versions use this:

It's fairly easy to build a trusted pbuilder environment:

  pbuilder create --debootstrap debootstrap --debootstrapopts --keyring=/etc/apt/trusted.gpg

This tells pbuilder to tell debootstrap to check packages using the default apt keyring. In turn, debootstrap will install the keyring in /etc/apt/ in the chroot, and so that the rest of the apt-installing done inside the chroot will verify the packages.

You can also write this to /etc/pbuilderrc:

DEBOOTSTRAPOPTS="--keyring=/etc/apt/trusted.gpg"

Note that I also had to force pbuilder to use debootstrap instead of cdebootstrap, because cdebootstrap doesn't support --keyring. Also, --keyring is not (yet) documented in debootstrap's manpage, although you can find it in debootstrap --help.


CategoryDeveloper CategoryPackaging

Progress of this is tracked in http://bugs.debian.org/317998