Creating a trusted pbuilder environment
pbuilder before 0.207 ignores secure apt's verification warnings, and happily uses untrusted debs to build. Since 0.207 (available since wheezy or squeeze-backports) this is fixed in the default configuration.
For older versions use this:
It's fairly easy to build a trusted pbuilder environment:
pbuilder create --debootstrap debootstrap --debootstrapopts --keyring=/etc/apt/trusted.gpg
This tells pbuilder to tell debootstrap to check packages using the default apt keyring. In turn, debootstrap will install the keyring in /etc/apt/ in the chroot, and so that the rest of the apt-installing done inside the chroot will verify the packages.
You can also write this to /etc/pbuilderrc:
DEBOOTSTRAPOPTS="--keyring=/etc/apt/trusted.gpg"
Note that I also had to force pbuilder to use debootstrap instead of cdebootstrap, because cdebootstrap doesn't support --keyring. Also, --keyring is not (yet) documented in debootstrap's manpage, although you can find it in debootstrap --help.
CategoryDeveloper CategoryPackaging
Progress of this is tracked in http://bugs.debian.org/317998