I figured out that pbuilder ignores secure apt's verification warnings, and was deeply disappointed. One cannot tell everyone that pbuilder is the preferred build environment when pbuilder is happily using untrusted debs to build.
After some digging, however, I found out that it's fairly easy to build a trusted pbuilder environment:
pbuilder create --debootstrap debootstrap --debootstrapopts --keyring=/etc/apt/trusted.gpg
This tells pbuilder to tell debootstrap to check packages using the default apt keyring. In turn, debootstrap will install the keyring in /etc/apt/ in the chroot, and so that the rest of the apt-installing done inside the chroot will verify the packages.
Note that I also had to force pbuilder to use debootstrap instead of
cdebootstrap, because cdebootstrap doesn't support
--keyring is not (yet) documented in debootstrap's manpage, although you
can find it in
Note: I put this tip on the Debian Wiki at http://wiki.debian.org/SecurePbuilder, and that version may in the future become more up to date that this blog entry.
Note: pbuilder will still install untrusted packages, although it will warn about it. Check your pbuilder output!