FWIW the main issue was that tkldev-setup had the GPG key hardcoded into it and we've rotated the keys for Buster. The updated script now clones the repos first and gets the key from the Buildtasks config. So future iterations should "just work" (so long as the key ID has been updated in buildtasks).
Unfortunately, because the script is contained within the overlay of the TKLDev build code, it won't be included until the next release. I'll probably need to do a RC2 build of TKLDev to fix that...
In the meantime, if you wanted to, you could download it like this:
It probably won't do much if you run it as you've already manually set it up. But if you wanted to test it out, you could remove the unpacked bootstrap and test that part (it will automatically pull the latest commits for all the repos before it checks the bootstrap downloads). Obviously, you'll need to download the updated tkldev-setup script first (as per above), then remove the Buster bootstrap and re-run it like this:
rm -r /turnkey/fab/bootstraps/buster
tkldev-setup
FWIW, here's what I got when I just re-ran it (after just removing the unpacked Buster bootstrap as per above):
INFO [tkldev-setup]: /turnkey/buildtasks exists, attempting update.
Already up to date.
INFO [tkldev-setup]: /turnkey/tklbam-profiles exists, attempting update.
Already up to date.
INFO [tkldev-setup]: /turnkey/fab/cdroots exists, attempting update.
Already up to date.
INFO [tkldev-setup]: /turnkey/fab/common exists, attempting update.
Already up to date.
INFO [tkldev-setup]: /turnkey/fab/products/core exists, attempting update.
Already up to date.
INFO [tkldev-setup]: Downloading bootstrap-buster-amd64
File 'bootstrap-buster-amd64.tar.gz' already there; not retrieving.
File 'bootstrap-buster-amd64.tar.gz.hash' already there; not retrieving.
INFO [signature-verify]: Verifying GPG signature
gpg: Signature made Sun Mar 8 10:37:48 2020 UTC
gpg: using RSA key F190A48B54DC56B2C7F24DCBAC5EB00493E5BC1C
gpg: Good signature from "TurnKey GNU/Linux Buster Images (GPG signing key for TurnKey Linux Buster Images) " [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: A8B2 EF42 8781 9B03 D351 6CCA 7623 1C20 425E 9772
Subkey fingerprint: F190 A48B 54DC 56B2 C7F2 4DCB AC5E B004 93E5 BC1C
INFO [signature-verify]: GPG verification success.
INFO [signature-verify]: Verifying checksum.
INFO [signature-verify]: Checksum verification success.
INFO [tkldev-setup]: Unpacking bootstrap-buster-amd64
INFO [tkldev-setup]: tkldev-setup complete.
FWIW, I'm pretty sure that I've fixed the tkldev-setup issues
I noted what I've done and linked to the git diffs in a comment on the tracker.
FWIW the main issue was that tkldev-setup had the GPG key hardcoded into it and we've rotated the keys for Buster. The updated script now clones the repos first and gets the key from the Buildtasks config. So future iterations should "just work" (so long as the key ID has been updated in buildtasks).
Unfortunately, because the script is contained within the overlay of the TKLDev build code, it won't be included until the next release. I'll probably need to do a RC2 build of TKLDev to fix that...
In the meantime, if you wanted to, you could download it like this:
It probably won't do much if you run it as you've already manually set it up. But if you wanted to test it out, you could remove the unpacked bootstrap and test that part (it will automatically pull the latest commits for all the repos before it checks the bootstrap downloads). Obviously, you'll need to download the updated tkldev-setup script first (as per above), then remove the Buster bootstrap and re-run it like this:
FWIW, here's what I got when I just re-ran it (after just removing the unpacked Buster bootstrap as per above):