From 3e9ec958862d45ae53cc37965158a460b7da8733 Mon Sep 17 00:00:00 2001
From: Valentin Haudiquet <valentin.haudiquet@canonical.com>
Date: Thu, 19 Feb 2026 14:33:59 +0100
Subject: [PATCH] apt/keyring: always download in binary format

---
 src/apt/keyring.rs | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/src/apt/keyring.rs b/src/apt/keyring.rs
index 6f306a1..fd6ad96 100644
--- a/src/apt/keyring.rs
+++ b/src/apt/keyring.rs
@@ -22,12 +22,15 @@ struct LaunchpadPpaResponse {
 /// instead of the system apt keyring directory, allowing non-root usage.
 /// The returned path can be passed to mmdebstrap via --keyring.
 ///
+/// For Debian keyrings (which are ASCII-armored .asc files), the key is
+/// converted to binary GPG format using gpg --dearmor.
+///
 /// # Arguments
 /// * `ctx` - Optional context to use
 /// * `series` - The distribution series (e.g., "noble", "sid")
 ///
 /// # Returns
-/// The path to the downloaded keyring file
+/// The path to the downloaded keyring file (in binary GPG format)
 pub async fn download_cache_keyring(
     ctx: Option<Arc<context::Context>>,
     series: &str,
@@ -54,7 +57,7 @@ pub async fn download_cache_keyring(
         .next_back()
         .unwrap_or("pkh-{}.gpg")
         .replace("{}", series);
-    let keyring_path = cache_dir.join(&filename);
+    let download_path = cache_dir.join(&filename);
 
     // Download the keyring using curl
     let mut curl_cmd = ctx.command("curl");
@@ -64,13 +67,42 @@ pub async fn download_cache_keyring(
         .arg("-L")
         .arg(&keyring_url)
         .arg("--output")
-        .arg(&keyring_path);
+        .arg(&download_path);
 
     let status = curl_cmd.status()?;
     if !status.success() {
         return Err(format!("Failed to download keyring from {}", keyring_url).into());
     }
 
+    // If the downloaded file is an ASCII-armored key (.asc), convert it to binary GPG format
+    // mmdebstrap's --keyring option expects binary GPG keyrings
+    let keyring_path = if filename.ends_with(".asc") {
+        let binary_filename = filename.strip_suffix(".asc").unwrap_or(&filename);
+        let binary_path = cache_dir.join(format!("{}.gpg", binary_filename));
+
+        log::debug!("Converting ASCII-armored key to binary GPG format");
+        let mut gpg_cmd = ctx.command("gpg");
+        gpg_cmd
+            .arg("--dearmor")
+            .arg("--output")
+            .arg(&binary_path)
+            .arg(&download_path);
+
+        let status = gpg_cmd.status()?;
+        if !status.success() {
+            return Err("Failed to convert keyring to binary format"
+                .to_string()
+                .into());
+        }
+
+        // Remove the original .asc file
+        let _ = ctx.command("rm").arg("-f").arg(&download_path).status();
+
+        binary_path
+    } else {
+        download_path
+    };
+
     log::info!(
         "Successfully downloaded keyring for {} to {}",
         series,