Creating a trusted pbuilder environment

I figured out that pbuilder ignores secure apt's verification warnings, and was deeply disappointed. One cannot tell everyone that pbuilder is the preferred build environment when pbuilder is happily using untrusted debs to build.

After some digging, however, I found out that it's fairly easy to build a trusted pbuilder environment:

  pbuilder create --debootstrap debootstrap --debootstrapopts --keyring=/etc/apt/trusted.gpg

This tells pbuilder to tell debootstrap to check packages using the default apt keyring. In turn, debootstrap will install the keyring in /etc/apt/ in the chroot, and so that the rest of the apt-installing done inside the chroot will verify the packages.

You can also write this to /etc/pbuilderrc:

DEBOOTSTRAPOPTS="--keyring=/etc/apt/trusted.gpg"

Note that I also had to force pbuilder to use debootstrap instead of cdebootstrap, because cdebootstrap doesn't support --keyring. Also, --keyring is not (yet) documented in debootstrap's manpage, although you can find it in debootstrap --help.


CategoryDeveloper

Progress of this is tracked in http://bugs.debian.org/317998