From fef86b0a3fbce73e2e4196c65b53088bc8f9915f Mon Sep 17 00:00:00 2001
From: David Prevot <dprevot+git@evolix.fr>
Date: Fri, 29 Sep 2023 15:18:58 +0200
Subject: [PATCH] apt: Add Signed-by on Bookworm updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The generic keyring is used instead of the specific ones for system and
security because /usr/share/keyrings/debian-archive-bookworm-* are not
present (yet) on major upgrades. It’s not ideal, and should be replaced
afterwards.

https://wiki.evolix.org/HowtoDebian/SourcesList#bookworm-12
---
 apt/tasks/migrate-to-deb822.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/apt/tasks/migrate-to-deb822.yml b/apt/tasks/migrate-to-deb822.yml
index 18aa1580..e7339e8b 100644
--- a/apt/tasks/migrate-to-deb822.yml
+++ b/apt/tasks/migrate-to-deb822.yml
@@ -30,3 +30,21 @@
   ignore_errors: yes
   tags:
     - apt
+
+- name: Add signed-by when relevant for bookworm
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/sources.list.d/system.sources
+    line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
+    insertafter: "Suites: bookworm bookworm-updates"
+    state: present
+  tags:
+    - apt
+
+- name: Add signed-by when relevant for bookworm-security
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/sources.list.d/security.sources
+    line: "Signed-by: /usr/share/keyrings/debian-archive-keyring.gpg"
+    insertafter: "Suites: bookworm-security"
+    state: present
+  tags:
+    - apt