Copy apt gpg keys directly into trusted.gpg.d

This avoids having to have gnupg2/apt-key dependencies in the base,
and is now well supported by modern Debuntu.

Signed-off-by: Matthew Thode <mthode@mthode.org>
Change-Id: I7065b2fab6125d9635ef99ff65d374b8b6b4c3a2

diskimage_builder/elements/dpkg/environment.d/10-debian-minimal.bash

@@ -0,0 +1 @@
+export DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""}

diskimage_builder/elements/dpkg/extra-data.d/01-copy-apt-keys

@@ -1,39 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2014 Hewlett-Packard Development Company, L.P.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
-    set -x
-fi
-set -eu
-set -o pipefail
-
-DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""}
-if [ -z "${DIB_ADD_APT_KEYS}" ]; then
-    echo "DIB_ADD_APT_KEYS is not set - not importing keys"
-    exit 0
-fi
-
-DIR=${TMP_MOUNT_PATH}/tmp/apt_keys
-if [ -e ${DIR} ]; then
-    echo "${DIR} already exists!"
-    exit 1
-fi
-sudo mkdir -p ${DIR} # dib-lint: safe_sudo
-
-# Copy to DIR
-for KEY in $(find ${DIB_ADD_APT_KEYS} -type f); do
-    sudo cp -L ${KEY} ${DIR} # dib-lint: safe_sudo
-done

diskimage_builder/elements/dpkg/pre-install.d/02-add-apt-keys

@@ -1,37 +0,0 @@
-#!/bin/bash
-#
-# Copyright 2014 Hewlett-Packard Development Company, L.P.
-#
-# Licensed under the Apache License, Version 2.0 (the "License"); you may
-# not use this file except in compliance with the License. You may obtain
-# a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations
-# under the License.
-
-if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
-    set -x
-fi
-set -eu
-set -o pipefail
-
-KEY_DIRECTORY=/tmp/apt_keys
-if [ ! -d "${KEY_DIRECTORY}" ]; then
-    exit 0
-fi
-
-for KEY in ${KEY_DIRECTORY}/*; do
-    if ! file -b "${KEY}" | grep -qE '(PGP public key block|GPG key public ring)'; then
-        echo "Skipping ${KEY}, not a valid GPG public key"
-        continue
-    fi
-
-    apt-key add ${KEY}
-done
-
-apt-get -y update

diskimage_builder/elements/dpkg/root.d/09-apt-keyring

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Copyright (c) 2020 Matthew Thode (mthode@mthode.org)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+#
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# dib-lint: disable=safe_sudo
+
+if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+if [ -n "${DIB_ADD_APT_KEYS}" ]; then
+    find "${DIB_ADD_APT_KEYS}" -type f -exec sudo cp -L {} "${TARGET_ROOT}/etc/apt/trusted.gpg.d/" \;
+fi

releasenotes/notes/dpkg-copy-keys-578e16f7fedd823b.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The ``DIB_ADD_APT_KEYS`` argument now copies keys into
+    ``/etc/apt/trusted.gpg.d``, rather than using ``apt-key`` to add
+    them.