Jeremy Davis's picture

[update]: This post initially noted 'buster', when it should have been 'bullseye'. I've updated it by changing all instances of 'buster' to be 'bullseye'. Note also that the Debian security repo format has changed since buster!


First up, you can use TKLBAM locally as well. Although it still will require you to sign up to the Hub to get the backup profile (or generate a profile yourself). But as Hub signup still requires an AWS account, you'll likely prefer not going that path.

As for a "Debian style upgrade", yes that's a totally legitimate path to follow. It sounds like you were heading in the right direction, however, you will need to also update the TurnKey repo keys (as per the error you noted).

The keys can be downloaded from keyservers, but in recent times, they're a bit broken, so it's probably easier to just pull them from GitHub. The easiest way is to update them would be via the commandline. Here's a script that you can copy/paste. It will download and convert the keys to the required format for all 3 repos (if you warn't using 'testing', downloading the key won't cause any issue):

CODENAME=bullseye
key_dir=/usr/share/keyrings
base_url=https://raw.githubusercontent.com/turnkeylinux/common/master/overlays/bootstrap_apt
repos=(main security testing)
for repo in ${repos[@]}; do
    local_path=$key_dir/tkl-$CODENAME-$repo
    keyring=$local_path.gpg
    keyfile=$local_path.asc
     key_url=${base_url}${keyfile}
    wget -O $keyfile $key_url
    gpg --no-default-keyring --keyring $keyring --import $keyfile
    rm $keyfile
done

Then the only other thing you should need to do is update the TurnKey repo key paths in the relevant sources.list files (/etc/apt/sources.list.d/security.sources.list & /etc/apt/sources.list.d/sources.list). E.g. your security soruces file contents should look like this:

deb [signed-by=/usr/share/keyrings/tkl-bullseye-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main

deb http://security.debian.org/ bullseye-security main
deb http://security.debian.org/ bullseye-security contrib
#deb http://security.debian.org/ bullseye-security non-free

I hope that helps.