Package: multistrap
Version: 2.2.1
Severity: grave
Justification: renders package unusable
Hi,
multistrap seems to use
gpg --no-default-keyring --homedir=${dir}/etc/apt/trusted.gpg.d/
--keyring=multistrap.gpg --import ...
to prepare files for /etc/apt/trusted.gpg.d. With gnupg (>= 2) this will
create files of type "GPG keybox database version 1". That format is
incompatible with apt which uses gpgv. Instead the binary OpenPGP format
(also known as "GPG key public ring") should be used which is the common
export format of gnupg and works across all gnupg versions and is
supported by gpgv.
I'm making this bug "grave" because I cannot come up with a workaround
for this problem and am also not able to imagine a situation where a
used would want to create a system with untrusted packages.
Thanks!
cheers, josch
