In Snapcraft, we support using third-party apt repositories in plugins.
apt-secure defaults to not verifying the repo certificates in Xenial, so Snapcraft doesn’t do anything with repo keys. To quote
In the future APT will refuse to work with unauthenticated repositories by default until support for them is removed entirely. Users have the option to opt-in to this behavior already by setting the configuration option Acquire::AllowInsecureRepositories to false.
As promised, in Yakkety this default changed, which means that any plugin that uses third-party repositories fails to update its index because its key public key isn’t on the system.
We’re currently working around that by making the behavior consistent, but that means the behavior is consistently bad: not verifying at all. We should discuss how we actually want to solve this problem, by adding the ability to ack repo keys.
My strawman to start the discussion:
We currently support a plugin declaring its repos via the
PLUGIN_STAGE_SOURCES property. I suggest adding a new property called
PLUGIN_STAGE_SOURCES_KEYS that returns a list of public key IDs which will be handed off to
apt-key before attempting to communicate with the repo. They could also be a URL or path to a keyfile.