New option --keyring which is passed through to deboootstrap.

Its default values work around bug #792729 in debootstrap.

Does not yet import those keys into APT's keyring inside the DomU.
(Not sure if debootstrap does that already, either.)

TODO.markdown

@@ -15,6 +15,9 @@ General Ideas
   [this mail](http://xen-tools.org/pipermail/xen-tools-discuss/2015-June/001103.html)
   and the following mails on the xen-tools-discuss mailing list.
 
+* Add keys in keyring given by `--keyring` to APT's keyring inside the
+  DomU by adding it with `apt-key add`.
+
 
 Bugs to fix and features to add for 5.0
 ---------------------------------------

bin/xen-create-image

@@ -124,6 +124,9 @@ and EVMS EXAMPLE.
    --(no)keep   (Don't) keep our images if installation fails. It
                 maybe unmounted, though.
 
+   --keyring=/path/to/keyring
+                Set the path to the keyring debootstrap should use.
+
    --kernel=/path/to/kernel
                 Set the path to the kernel to use for domU. If a
                 kernel is specified it must exist.
@@ -1275,6 +1278,7 @@ sub setupDefaultOptions
     # Default distribution is Debian Stable
     $CONFIG{ 'dist' }          = 'stable';
     $CONFIG{ 'mirror' }        = '';
+    $CONFIG{ 'keyring' }       = '';
 
     # Initialize per distribution mirror defaults
     foreach my $debdist (keys %DIST) {
@@ -1284,6 +1288,8 @@ sub setupDefaultOptions
                 if ($debdistinfo =~ /eol/) {
                     $CONFIG{ 'mirror_'.$debdist } = $MIRROR{$dist.'_archive'} or
                         die $dist.'_archive not defined in /etc/xen-tools/mirrors.conf';
+                    my $removed_keys = "/usr/share/keyrings/$dist-archive-removed-keys.gpg";
+                    $CONFIG{ 'keyring_'.$debdist } = $removed_keys if -r $removed_keys;
                 } else {
                     $CONFIG{ 'mirror_'.$debdist } = $MIRROR{$dist} or
                         die $dist.' not defined in /etc/xen-tools/mirrors.conf';
@@ -1462,6 +1468,7 @@ sub checkOption
         memory        => 'integerWithSuffix',
         maxmem        => 'integerWithSuffix',
         kernel        => 'existingFile',
+        keyring       => 'existingFile',
         initrd        => 'existingFile',
         modules       => 'existingDir',
         serial_device => 'serialDev',
@@ -1568,6 +1575,7 @@ sub parseCommandLineArguments
             "kernel=s",    \&checkOption,
             "initrd=s",    \&checkOption,
             "mirror=s",    \&checkOption,
+            "keyring=s",   \&checkOption,
             "apt_proxy=s", \&checkOption,
             "modules=s",   \&checkOption,
             "lvm=s",       \$install{ 'lvm' },
@@ -1808,6 +1816,17 @@ sub checkArguments
         $CONFIG{ 'mirror' } = $CONFIG{ $distMirror };
     }
 
+    #
+    #  If no keyring is set, use the default per-distro keyring if present
+    #
+    my $distKeyring = "keyring_" . $CONFIG{ 'dist' };
+    if ( !$CONFIG{ 'keyring' } and
+         $CONFIG{ $distKeyring } and
+         length( $CONFIG{ $distKeyring } ) )
+    {
+        $CONFIG{ 'keyring' } = $CONFIG{ $distKeyring };
+    }
+
     #
     #  NOTE: FAKE!
     #
@@ -3461,6 +3480,14 @@ sub installSystem
         $cmd .= " --arch=$CONFIG{'arch'}";
     }
 
+    #
+    #  Propagate --keyring
+    #
+    if ( $CONFIG{ 'keyring' } )
+    {
+        $cmd .= " --keyring=$CONFIG{'keyring'}";
+    }
+
 
     #
     #  Propagate --debootstrap-cmd if install-method is debootstrap

bin/xt-install-image

@@ -28,6 +28,7 @@ xt-install-image - Install a fresh copy of GNU/Linux into a directory
                     configuration file.
    --mirror         The mirror to use when installing with 'debootstrap'.
    --apt_proxy      The proxy to use when installing with 'debootstrap'.
+   --keyring        The keyring to use when installing with 'debootstrap'.
 
   Installation Options:
    --install-method  Specify the installation method to use.
@@ -337,6 +338,7 @@ sub parseCommandLineArguments
         "cachedir=s", \$CONFIG{ 'cachedir' },
         "config=s", \$CONFIG{ 'config' },
         "mirror=s", \$CONFIG{ 'mirror' },
+        "keyring=s", \$CONFIG{ 'keyring' },
         "apt_proxy=s", \$CONFIG{ 'apt_proxy' },
 
         # Help.
@@ -635,6 +637,14 @@ sub do_debootstrap
         $EXTRA .= " --arch $CONFIG{'arch'}";
     }
 
+    #
+    #  Propogate the --keyring argument
+    #
+    if ( $CONFIG{ 'keyring' } )
+    {
+        $EXTRA .= " --keyring=$CONFIG{'keyring'}";
+    }
+
     #
     #  Setup http_proxy so that debootstrap pulls files through the apt-proxy
     #

debian/changelog

@@ -42,6 +42,8 @@ xen-tools (4.5+dev-1) UNRELEASED; urgency=medium
       - Always run the full test suite before doing a release.
       - Use maximum compression and don't store time stamps in tar ball.
       - Make "release" target to include "orig-tar-gz" and tagging.
+    + New option --keyring which is passed through to deboootstrap. Its
+      default values work around bug #792729 in debootstrap.
   * Update Vcs-* headers and documentation as Gitorious closed its doors
     in June 2015 and is now only available with static contents.
   * Recommend debian-archive-keyring (for installing Debian DomUs on