feat: Use same keyring for all releases

A change in 2024 [0] was made to debootstrap in which the keyring is now switched from ubuntu-archive-keyring.gpg to ubuntu-archive-removed-keys.gpg after a given release goes EOL. This means that the Release signature cannot be verified after EOL since the Release is signed with the ubuntu-archive-keyring.gpg. It is expected that we can continue to build any release even after the suite is closed. This change adds a debootstrap configuration to override this behavior and ensure all of our images are verified against the main archive key. Refs: [0] https://git.launchpad.net/ubuntu/+source/debootstrap/commit/?id=4f8b3405097b9f655938528ae7105ec534eb7d1b
2026-02-21 09:23:28 +00:00 · 2026-02-16 18:25:56 -05:00 · 2026-02-16 18:25:56 -05:00 · 7e3c74afac
commit 7e3c74afac
parent 460037fb4d
1 changed files with 2 additions and 0 deletions
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -1397,6 +1397,8 @@ if [ -n "$PASSES" ] && [ -z "$LIVE_PASSES" ]; then
 	     "Either set \$LIVE_PASSES or add a pass ending with '.live'."
 fi

+echo "DEBOOTSTRAP_OPTIONS=\"--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg\"" >> config/bootstrap
+
 echo "LB_CHROOT_HOOKS=\"$CHROOT_HOOKS\"" >> config/chroot
 echo "SUBPROJECT=\"${SUBPROJECT:-}\"" >> config/chroot
 echo "LB_DISTRIBUTION=\"$SUITE\"" >> config/chroot