From c144246cc9ee602dc7435d863d6c7d88a29e6d11 Mon Sep 17 00:00:00 2001
From: Sam Yaple <sam+git@yaple.net>
Date: Mon, 2 Jul 2018 13:57:46 -0400
Subject: [PATCH] Add keyring if supplied

When building with debootstrap, debootstrap will use the key to check
that everything is properly signed. It will not `apt-key add` the key
into the final environment, however.

Early adding the key after debootstrap before we need to read from the
private repo again prevents unsigned issues. This also maintains the
integrity of the packages in the environment throughout the build.

Change-Id: I5ca75ae4620c9fb26b512cb30f8cd79fa7a0373a
---
 .../debian-minimal/root.d/75-debian-minimal-baseinstall      | 5 +++++
 .../ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall      | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall b/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
index ceb51bf11..172447697 100755
--- a/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
+++ b/diskimage_builder/elements/debian-minimal/root.d/75-debian-minimal-baseinstall
@@ -24,6 +24,11 @@ fi
 set -eu
 set -o pipefail
 
+# NOTE(SamYaple): Add the keyring deboostrap used if specified
+if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
+    cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
+fi
+
 # Writes the apt sources files.
 # The description is passed in via line coded elements.
 # (The approach using associative arrays for configuration faild,
diff --git a/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall b/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
index 1835e1970..f9b90e707 100755
--- a/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
+++ b/diskimage_builder/elements/ubuntu-minimal/root.d/75-ubuntu-minimal-baseinstall
@@ -21,6 +21,11 @@ fi
 set -eu
 set -o pipefail
 
+# NOTE(SamYaple): Add the keyring deboostrap used if specified
+if [ -n "${DIB_APT_KEYRING:-${DIB_DEBIAN_KEYRING:-}}" ]; then
+    cat $DIB_APT_KEYRING | sudo chroot $TARGET_ROOT /usr/bin/apt-key add -
+fi
+
 # We should manage this in a betterer way
 sudo bash -c "cat << EOF >$TARGET_ROOT/etc/apt/sources.list
 deb $DIB_DISTRIBUTION_MIRROR $DIB_RELEASE ${DIB_DEBIAN_COMPONENTS//,/ }