5 files changed, 132 insertions, 43 deletions

diff --git a/share/build-scripts/debconf b/share/build-scripts/debconf
index 900242d..2dd8cb7 100755
--- a/share/build-scripts/debconf
+++ b/share/build-scripts/debconf
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
 #
 # SPDX-License-Identifier: GPL-3.0+
 #
@@ -123,6 +123,8 @@ then
 	exit 1
 fi
 
+HOST="$(echo ${NAME} | cut -d. -f1)"
+
 Mount ()
 {
 	# Mounting rw bind mounts
@@ -371,7 +373,7 @@ Bootstrap ()
 	INCLUDE="dbus"
 
 	# apt repositories
-	INCLUDE="${INCLUDE},gnupg"
+	INCLUDE="${INCLUDE},gnupg,debian-archive-keyring"
 
 	if ( echo "${MIRROR}" | grep -qs '^https' ) || \
 	   ( echo "${PARENT_MIRROR}" | grep -qs '^https' )
@@ -488,15 +490,20 @@ Configure_apt ()
 	DIRECTORY="${1}"
 
 	# Configure apt
-	rm -f "${DIRECTORY}/etc/apt/sources.list"
+	rm -f "${DIRECTORY}/etc/apt/sources.list" "${DIRECTORY}/etc/apt/sources.list.d/debian.sources"
 
 	PARENT_AREA="$(echo ${PARENT_ARCHIVE_AREAS} | sed -e 's|,| |g')"
 	PARENT_DIST="$(echo ${PARENT_DISTRIBUTION} | sed -e 's|-backports||')"
 
-cat > "${DIRECTORY}/etc/apt/sources.list.d/debian.list" << EOF
-# /etc/apt/sources.list.d/debian.list
+cat > "${DIRECTORY}/etc/apt/sources.list.d/debian.sources" << EOF
+# /etc/apt/sources.list.d/debian.sources
 
-deb ${PARENT_MIRROR} ${PARENT_DIST} ${PARENT_AREA}
+Types: deb
+URIs: ${PARENT_MIRROR}
+Suites: ${PARENT_DIST}
+Components: ${PARENT_AREA}
+PDiffs: no
+Signed-By: /usr/share/keyrings/debian-archive-${PARENT_DIST}-stable.gpg
 EOF
 
 	case "${MODE}" in
@@ -569,46 +576,92 @@ Configure_system ()
 	echo "${NAME}" > "${DIRECTORY}/etc/hostname"
 
 	# Configure apt
-	rm -f "${DIRECTORY}/etc/apt/sources.list"
+	rm -f "${DIRECTORY}/etc/apt/sources.list" "${DIRECTORY}/etc/apt/sources.list.d/debian.sources"
 
 	PARENT_AREA="$(echo ${PARENT_ARCHIVE_AREAS} | sed -e 's|,| |g')"
 	PARENT_DIST="$(echo ${PARENT_DISTRIBUTION} | sed -e 's|-backports||')"
 
-cat > "${DIRECTORY}/etc/apt/sources.list.d/debian.list" << EOF
-# /etc/apt/sources.list.d/debian.list
+cat > "${DIRECTORY}/etc/apt/sources.list.d/debian.sources" << EOF
+# /etc/apt/sources.list.d/debian.sources
 
-deb ${PARENT_MIRROR} ${PARENT_DIST} ${PARENT_AREA}
+Types: deb
+URIs: ${PARENT_MIRROR}
+Suites: ${PARENT_DIST}
+Components: ${PARENT_AREA}
+PDiffs: no
+Signed-By: /usr/share/keyrings/debian-archive-${PARENT_DIST}-stable.gpg
 EOF
 
+	AUTOMATIC_SUITES=""
+
 	for PARENT_REPO in ${PARENT_ARCHIVES}
 	do
 		case "${PARENT_REPO}" in
-			buster-security)
-				echo "deb ${PARENT_MIRROR_SECURITY} ${PARENT_DIST}/updates ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+			${PARENT_DIST}-updates)
+				AUTOMATIC_SUITES="${AUTOMATIC_SUITES} ${PARENT_DIST}-updates"
 				;;
 
-			${PARENT_DIST}-security)
-				echo "deb ${PARENT_MIRROR_SECURITY} ${PARENT_DIST}-security ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+			${PARENT_DIST}-proposed-updates)
+				AUTOMATIC_SUITES="${AUTOMATIC_SUITES} ${PARENT_DIST}-proposed-updates"
 				;;
 
-			${PARENT_DIST}-updates)
-				echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-updates ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+			${PARENT_DIST}-backports)
+				AUTOMATIC_SUITES="${AUTOMATIC_SUITES} ${PARENT_DIST}-backports"
 				;;
 
-			${PARENT_DIST}-backports)
-				echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-backports ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+			${PARENT_DIST}-experimental)
+				AUTOMATIC_SUITES="${AUTOMATIC_SUITES} experimental"
 				;;
+		esac
+	done
 
-			${PARENT_DIST}-proposed-updates)
-				echo "deb ${PARENT_MIRROR} ${PARENT_DIST}-proposed-updates ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+	if [ -n "${AUTOMATIC_SUITES}" ]
+	then
+		AUTOMATIC_SUITES="$(echo ${AUTOMATIC_SUITES} | sed -e 's|^ ||')"
+
+cat >> "${DIRECTORY}/etc/apt/sources.list.d/debian.sources" << EOF
+
+Types: deb
+URIs: ${PARENT_MIRROR}
+Suites: ${AUTOMATIC_SUITES}
+Components: ${PARENT_AREA}
+PDiffs: no
+Signed-By: /usr/share/keyrings/debian-archive-${PARENT_DIST}-automatic.gpg
+EOF
+
+	fi
+
+	SECURITY_SUITES=""
+
+	for PARENT_REPO in ${PARENT_ARCHIVES}
+	do
+		case "${PARENT_REPO}" in
+			buster-security)
+				SECURITY_SUITES="${SECURITY_SUITES} ${PARENT_DIST}/updates"
 				;;
 
-			experimental)
-				echo "deb ${PARENT_MIRROR} experimental ${PARENT_AREA}" >> "${DIRECTORY}/etc/apt/sources.list.d/debian.list"
+			${PARENT_DIST}-security)
+				SECURITY_SUITES="${SECURITY_SUITES} ${PARENT_DIST}-security"
 				;;
 		esac
 	done
 
+	if [ -n "${SECURITY_SUITES}" ]
+	then
+		SECURITY_SUITES="$(echo ${SECURITY_SUITES} | sed -e 's|^ ||')"
+
+cat >> "${DIRECTORY}/etc/apt/sources.list.d/debian.sources" << EOF
+
+Types: deb
+URIs: ${PARENT_MIRROR_SECURITY}
+Suites: ${PARENT_DIST}-security
+Components: ${PARENT_AREA}
+PDiffs: no
+Signed-By: /usr/share/keyrings/debian-archive-${PARENT_DIST}-security-automatic.gpg
+EOF
+
+	fi
+
 	case "${MODE}" in
 		progress-linux)
 
@@ -634,18 +687,13 @@ EOF
 	fi
 
 	# Add local archives configured from preseed file
-	if ls "${DEBCONF_TMPDIR}/apt"/*.list > /dev/null 2>&1
+	if ls "${DEBCONF_TMPDIR}/apt"/*.sources > /dev/null 2>&1
 	then
-		cp "${DEBCONF_TMPDIR}/apt"/*.list "${DIRECTORY}/etc/apt/sources.list.d"
+		cp "${DEBCONF_TMPDIR}/apt"/*.sources "${DIRECTORY}/etc/apt/sources.list.d"
 
 		if ls "${DEBCONF_TMPDIR}/apt"/*.key > /dev/null 2>&1
 		then
-			for KEY in "${DEBCONF_TMPDIR}/apt"/*.key
-			do
-				cp "${KEY}" "${DIRECTORY}"
-				Chroot "${DIRECTORY}" "apt-key add $(basename ${KEY})"
-				rm -f "${DIRECTORY}/$(basename ${KEY})"
-			done
+			cp "${DEBCONF_TMPDIR}/apt"/*.key "${DIRECTORY}/etc/apt/keyrings"
 		fi
 
 		if ls "${DEBCONF_TMPDIR}/apt"/*.pref > /dev/null 2>&1
@@ -686,6 +734,7 @@ EOF
 
 			sed -e "s|@FILE@|${FILE}|g" \
 			    -e "s|@NAME@|${NAME}|g" \
+			    -e "s|@HOST@|${HOST}|g" \
 			    -e "s|@IPV4_ADDRESS1@|${IPV4_ADDRESS1}|g" \
 			    -e "s|@IPV4_ADDRESS1_PART1@|${IPV4_ADDRESS1_PART1}|g" \
 			    -e "s|@IPV4_ADDRESS1_PART2@|${IPV4_ADDRESS1_PART2}|g" \
@@ -1185,6 +1234,7 @@ trap 'Umount' EXIT HUP INT QUIT TERM
 umask 0022
 
 export NAME
+export HOST
 
 Debconf
 
diff --git a/share/build-scripts/debconf.d/0001-preseed-file b/share/build-scripts/debconf.d/0001-preseed-file
index aa2c3c7..f2877c3 100755
--- a/share/build-scripts/debconf.d/0001-preseed-file
+++ b/share/build-scripts/debconf.d/0001-preseed-file
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
 #
 # SPDX-License-Identifier: GPL-3.0+
 #
diff --git a/share/build-scripts/debconf.d/0002-preseed-debconf b/share/build-scripts/debconf.d/0002-preseed-debconf
index fcb9006..3313173 100755
--- a/share/build-scripts/debconf.d/0002-preseed-debconf
+++ b/share/build-scripts/debconf.d/0002-preseed-debconf
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
 #
 # SPDX-License-Identifier: GPL-3.0+
 #
@@ -93,6 +93,7 @@ do
 	fi
 
 	sed -e "s|@NAME@|${NAME}|g" \
+	    -e "s|@HOST@|${HOST}|g" \
 	    -e "s|@IPV4_ADDRESS1@|${IPV4_ADDRESS1}|g" \
 	    -e "s|@IPV4_ADDRESS1_PART1@|${IPV4_ADDRESS1_PART1}|g" \
 	    -e "s|@IPV4_ADDRESS1_PART2@|${IPV4_ADDRESS1_PART2}|g" \
diff --git a/share/build-scripts/debconf.d/0003-debconf b/share/build-scripts/debconf.d/0003-debconf
index e12e25e..b5b252b 100755
--- a/share/build-scripts/debconf.d/0003-debconf
+++ b/share/build-scripts/debconf.d/0003-debconf
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
 #
 # SPDX-License-Identifier: GPL-3.0+
 #
@@ -664,12 +664,16 @@ Local_archives ()
 	do
 		mkdir -p "${DEBCONF_TMPDIR}/apt"
 
-		REPOSITORY="${RET#deb }"
+		REPOSITORY="$(echo "${RET}" | sed -e 's|^deb ||')"
 
-		LIST="archive${NUMBER}.list"
+		MIRROR="$(echo ${REPOSITORY} | cut -d' ' -f1)"
+		SUITES="$(echo ${REPOSITORY} | cut -d' ' -f2)"
+		AREAS="$(echo ${REPOSITORY} | cut -d' ' -f3-)"
+
+		LIST="archive${NUMBER}.sources"
 		if db_get container/archive${NUMBER}/list
 		then
-			LIST="$(basename ${RET} .list).list"
+			LIST="$(basename ${RET} .sources).sources"
 		fi
 
 		COMMENT=""
@@ -677,14 +681,18 @@ Local_archives ()
 		then
 			COMMENT="${RET}"
 
-			echo "# ${COMMENT}" > "${DEBCONF_TMPDIR}/apt/${LIST}"
-		fi
+cat > "${DEBCONF_TMPDIR}/apt/${LIST}" << EOF
+# ${COMMENT}
 
-		echo "deb ${REPOSITORY}" >> "${DEBCONF_TMPDIR}/apt/${LIST}"
+EOF
+
+		fi
 
 		if db_get container/archive${NUMBER}/source && [ "$RET" = true ]
 		then
-			echo "deb-src ${REPOSITORY}" >> "${DEBCONF_TMPDIR}/apt/${LIST}"
+			TYPES="deb deb-src"
+		else
+			TYPES="deb"
 		fi
 
 		KEY=""
@@ -692,7 +700,28 @@ Local_archives ()
 		then
 			KEY="${RET}"
 
-			wget -q "${KEY}" -O "${DEBCONF_TMPDIR}/apt/$(basename ${LIST} .list).key"
+			wget -q "${KEY}" -O "${DEBCONF_TMPDIR}/apt/$(basename ${LIST} .sources).key"
+
+			SIGNED="/etc/apt/keyrings/$(basename ${LIST} .sources).key"
+		else
+			SIGNED=""
+		fi
+
+cat > "${DEBCONF_TMPDIR}/apt/${LIST}" << EOF
+Types: deb
+URIs: ${MIRROR}
+Suites: ${SUITES}
+Components: ${AREAS}
+PDiffs: no
+EOF
+
+		if [ -n "${SIGNED}" ]
+		then
+
+cat >> "${DEBCONF_TMPDIR}/apt/${LIST}" << EOF
+Signed-By: ${SIGNED}
+EOF
+
 		fi
 
 		PREFERENCES_PACKAGE=""
@@ -714,8 +743,17 @@ Local_archives ()
 
 			if [ -n "${PREFERENCES_PACKAGE}" ] || [ -n "${PREFERENCES_PIN}" ] || [ -n "${PREFERENCES_PIN_PRIORITY}" ]
 			then
+				if [ -n "${COMMENT}" ]
+				then
+
+cat > "${DEBCONF_TMPDIR}/apt/$(basename ${LIST} .sources).pref" << EOF
+# ${COMMENT}
+
+EOF
+
+				fi
 
-cat > "${DEBCONF_TMPDIR}/apt/$(basename ${LIST} .list).pref" << EOF
+cat >> "${DEBCONF_TMPDIR}/apt/$(basename ${LIST} .sources).pref" << EOF
 Package: ${PREFERENCES_PACKAGE}
 Pin: ${PREFERENCES_PIN}
 Pin-Priority: ${PREFERENCES_PIN_PRIORITY}
diff --git a/share/build-scripts/debootstrap b/share/build-scripts/debootstrap
index 5ab5db2..696c7b4 100755
--- a/share/build-scripts/debootstrap
+++ b/share/build-scripts/debootstrap
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Copyright (C) 2014-2022 Daniel Baumann <daniel.baumann@open-infrastructure.net>
+# Copyright (C) 2014-2024 Daniel Baumann <daniel.baumann@open-infrastructure.net>
 #
 # SPDX-License-Identifier: GPL-3.0+
 #