diff --git a/mmdebstrap b/mmdebstrap index 01d9954..47f0cb5 100755 --- a/mmdebstrap +++ b/mmdebstrap @@ -6366,13 +6366,26 @@ Example: Minimizing the number of packages installed from experimental =item B<--keyring>=I|I -Change the default keyring to use by apt. By default, F -and F are used. Depending on whether a file or -directory is passed to this option, the former and latter default can be -changed, respectively. Since apt only supports a single keyring file and -directory, respectively, you can B use this option to pass multiple files -and/or directories. Using the C<--keyring> argument in the following way is -equal to keeping the default: +Change the default keyring to use by apt during the initial setup. This is +similar to setting B and B using +B<--aptopt> except that the latter setting will be permanently stored in the +chroot while the keyrings passed via <--keyring> will only be visible to apt as +run by B. Do not use B<--keyring> if apt inside the chroot needs to +know about your keys after the initial chroot creation by B. This +option is mainly intended for users who use B as a B +drop-in replacement. As such, it is probably not what you want to use if you +use B with more than a single mirror unless you pass it a directory +containing all the keyrings you need. + +By default, the local setting of B and +B are used to choose the keyring used by apt as run by +B. These two locations are set to F and +F by default. Depending on whether a file or directory +is passed to this option, the former and latter default can be changed, +respectively. Since apt only supports a single keyring file and directory, +respectively, you can B use this option to pass multiple files and/or +directories. Using the C<--keyring> argument in the following way is equal to +keeping the default: --keyring=/etc/apt/trusted.gpg --keyring=/etc/apt/trusted.gpg.d @@ -6381,6 +6394,10 @@ specifying the mirror like this: mmdebstrap mysuite out.tar "deb [signed-by=/path/to/key.gpg] http://..." +Another reason to use C instead of B<--keyring> is if apt inside the +chroot needs to know by what key the repository is signed even after the +initial chroot creation. + The C option will automatically be added to the final C if the keyring required for the selected I is not yet trusted by apt. Automatically adding the C option in these cases @@ -6392,6 +6409,13 @@ installed, then you can create a Ubuntu Bionic chroot on Debian like this: The resulting chroot will have a C with a C option pointing to F. +You do not need to use B<--keyring> or C if you placed the keys that +apt needs to know about into F in the B<--setup-hook> +(which is before C runs), for example by using the +special hook. You also need to copy your keys into the chroot explicitly if the +key you passed via C points to a location that is not otherwise +populated during chroot creation (for example by installing a keyring package). + =item B<--dpkgopt>=I