4

From https://manpages.debian.org/wheezy/multistrap/multistrap.1:

--no-auth - allow the use of unauthenticated repositories. Same as noauth=true

What I understand from this definition is that multistrap won't try to authenticate, so unsafe software might be installed.

However it doesn't seem to be the case: Setting noauth=true throws the following error: 

Get:1 http://ftp.uk.debian.org/debian buster InRelease [122 kB]
Err:1 http://ftp.uk.debian.org/debian buster InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY DCC9EFBF77E11517
Reading package lists... Done
W: GPG error: http://ftp.uk.debian.org/debian buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY DCC9EFBF77E11517
E: The repository 'http://ftp.uk.debian.org/debian buster InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
apt update failed. Exit value: 100

Interesting part is, setting noauth=false fixes the problem.

What does noauth cause exactly?

ceremcem
  • 2,231
  • 1
  • 23
  • 53

1 Answers1

2

Your understanding is correct. However, there is a bug in multistrap so that it does not correctly configure apt to install packages unauthenticated. A description of the problem and a patch to fix it are available in debian bug report #908451 (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908451).

More info on noauth=false (i.e, do authenticate):

  • The keyring packages need to be installable on the host system. Configure /etc/apt/sources and apt-key of the host accordingly before invoking multistrap.
  • The keyring debian packages need to install the keys into /usr/share/keyrings/, from where multistrap will copy them to /etc/apt/trusted.gpg.d/ where they are actually used by apt-key. Keyring packages that install their keys only to /etc/apt/trusted.gpg.d/ cannot be used by multistrap.
  • Specify each keyring package only once, even if the same keyring applies to multiple repositories. Multistrap will otherwise cause an error with an unhelpful error message, at least until debian bug #870166 is fixed.
T. Herzke
  • 146
  • 3