From 7e3c74afacdfc7adab02ddf8e3c670659a557687 Mon Sep 17 00:00:00 2001 From: Michael Raymond Date: Mon, 16 Feb 2026 18:25:56 -0500 Subject: [PATCH] feat: Use same keyring for all releases A change in 2024 [0] was made to debootstrap in which the keyring is now switched from ubuntu-archive-keyring.gpg to ubuntu-archive-removed-keys.gpg after a given release goes EOL. This means that the Release signature cannot be verified after EOL since the Release is signed with the ubuntu-archive-keyring.gpg. It is expected that we can continue to build any release even after the suite is closed. This change adds a debootstrap configuration to override this behavior and ensure all of our images are verified against the main archive key. Refs: [0] https://git.launchpad.net/ubuntu/+source/debootstrap/commit/?id=4f8b3405097b9f655938528ae7105ec534eb7d1b --- live-build/auto/config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/live-build/auto/config b/live-build/auto/config index e969bb63..074bc01c 100755 --- a/live-build/auto/config +++ b/live-build/auto/config @@ -1397,6 +1397,8 @@ if [ -n "$PASSES" ] && [ -z "$LIVE_PASSES" ]; then "Either set \$LIVE_PASSES or add a pass ending with '.live'." fi +echo "DEBOOTSTRAP_OPTIONS=\"--keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg\"" >> config/bootstrap + echo "LB_CHROOT_HOOKS=\"$CHROOT_HOOKS\"" >> config/chroot echo "SUBPROJECT=\"${SUBPROJECT:-}\"" >> config/chroot echo "LB_DISTRIBUTION=\"$SUITE\"" >> config/chroot