https://github.com/vyos/vyos-build/pull/615

Why just not sign repositories?

Since the --vyos-mirror string is copied directly, you can simply prepend it with [trusted=yes]; a new flag isn't really necessary:

vyos_bld@5647d929bac0:/vyos/vyos-build$ sudo ./build-vyos-image iso \
    --architecture amd64 \
    --vyos-mirror "[trusted=yes] https://some.repo/current"
I: Checking if packages required for VyOS image build are installed
build/config
I: Cleaning the build workspace
...^C
vyos_bld@5647d929bac0:/vyos/vyos-build$ cat build/config/archives/vyos.list.chroot
deb [trusted=yes] https://some.repo/current current main

If packages are signed in your repo, you can put the key into the live-build configuration prior to building (similar to the existing VyOS dev key):
vyos-build/data/live-build-config/archives.

Trying to use https repositories with self-signed certificates (or private CAs) is tricky, however. live-build doesn't seem to have a mechanism for getting certs into the chroot early enough (that I can find). I'm far from an expert, though.

Unless you have a specific reason to work around signing, as @syncer suggests, just get proper certs/keys and sign everything.

I'm just using this for my home lab :) - that's a great suggestion @Rain I shall use that!

thanks for your effort in any case @florin
"A journey of a thousand miles begins with a single step"

Could this perhaps be extended into something like this in the help of the command and documentation?

--vyos-mirror

--vyos-mirror-trusted