diff --git a/docker/gitian-host/README.md b/docker/gitian-host/README.md
index 804c96e..7472a9d 100644
--- a/docker/gitian-host/README.md
+++ b/docker/gitian-host/README.md
@@ -14,11 +14,16 @@ Preamble
 It is **necessary** that before you using these scripts you read them and understand what they do.
 Why? Because your goal is to create a gitian build (deterministic) that has not been tampered with, thus trust shall be correctly attributed during your process.
 
+For example, in this repository I provide the [Debian Archive keyring](../keyrings/debian-archive-keyring.gpg) that is used for the original debootstrap,
+however you **must** verify its authenticity and that it is exactly [as provided officially by Debian](https://packages.debian.org/wheezy/all/debian-archive-keyring/download)
+in order to continue using a trusted chain of systems.
+
 See also:
 - https://gitian.org/
 - https://en.wikipedia.org/wiki/Web_of_trust
 - http://www.dwheeler.com/trusting-trust/
 - https://www.debian.org/
+- https://wiki.debian.org/SecureApt
 - https://www.docker.io/
 - http://www.ubuntu.com/
 
diff --git a/docker/gitian-host/build-base-vms.sh b/docker/gitian-host/build-base-vms.sh
index d05546e..beec2c9 100755
--- a/docker/gitian-host/build-base-vms.sh
+++ b/docker/gitian-host/build-base-vms.sh
@@ -23,10 +23,12 @@ function ext_partition() {
  	loop=`sudo kpartx -av $OUT.raw|sed -n '/loop.p1/{s/.*loop\(.\)p1.*/\1/;p}'`
 	sudo cp --sparse=always /dev/mapper/loop${loop}p1 $OUT
 	sudo chown $USER $OUT
+	## following 2 lines are a sloppy hack to an unknown problem with kpartx
 	sudo sync
 	sleep 5
+	## these are silenced because if former fails, second doesn't and viceversa
 	sudo kpartx -d /dev/loop$loop 2>/dev/null
-	sudo rm /dev/mapper/loop${loop}p1
+	sudo rm /dev/mapper/loop${loop}p1 2>/dev/null
 	rm -f $OUT.raw
 }
 
diff --git a/docker/keyrings/debian-archive-keyring.gpg b/docker/keyrings/debian-archive-keyring.gpg
new file mode 100644
index 0000000..46d1f0e
Binary files /dev/null and b/docker/keyrings/debian-archive-keyring.gpg differ
diff --git a/docker/scripts/build-wheezy.sh b/docker/scripts/build-wheezy.sh
index dc4bab4..f3a9a56 100755
--- a/docker/scripts/build-wheezy.sh
+++ b/docker/scripts/build-wheezy.sh
@@ -5,26 +5,59 @@
 ## build a base Debian Wheezy
 #
 
+BASENAME=$(dirname $(readlink -m $0))
+
 ## the distro we are going to use
 DISTNAME=wheezy
 DEBIAN_REPO=http://ftp.debian.org/debian
 
 if [ ! $UID -eq 0 ]; then
 	echo "This script can only be run as root" 1>&2
-	exit
+	exit 1
 fi
 
 ## install prerequisites
 ## NOTE: may fail on non-Ubuntu/Debian systems
-if ! type -P debootstrap; then
+if ! type -P debootstrap >/dev/null; then
         apt-get install debootstrap -y || exit $?
 fi
 
+## check about the Debian archive keyring
+DEFK=/usr/share/keyrings/debian-archive-keyring.gpg
+KEYRING=$BASENAME/../keyrings/debian-archive-keyring.gpg
+if [ -s $DEFK ]; then
+	if ! diff $DEFK $KEYRING; then
+		ANSWER=
+		while [[ "$ANSWER" != "Y" && "$ANSWER" != "n" ]]; do
+			echo -n "The Debian Archive keyring in your system ($DEFK) that will be used to debootstrap is different from the reference provided keyring. Continue? (Y/n) "
+			read -r ANSWER || exit $?
+		done
+		if [[ "$ANSWER" == "n" ]]; then
+			exit 1
+		fi
+		## use system's keyring, even if different than provided one
+		## this is a no-issue only in case the system's keyring is more recent than the provided one
+		KEYRING=$DEFK
+	fi
+else
+	ANSWER=
+	while [[ "$ANSWER" != "Y" && "$ANSWER" != "n" ]]; do
+		echo -n "Your system comes with no Debian Archive keyring in $DEFK that is necessary for debootstrap. Use reference provided keyring? (Y/n) "
+		read -r ANSWER || exit $?
+	done
+	if [[ "$ANSWER" == "n" ]]; then
+		exit 1
+	fi
+fi
+
+echo "Will use $KEYRING"
+exit 0
+
 ## NOTE: a temporary directory under /tmp is not used because can't be mounted dev/exec
 mkdir $DISTNAME || exit $?
 TMPDIR=$PWD/$DISTNAME
 
-debootstrap $DISTNAME $DISTNAME $DEBIAN_REPO && \
+debootstrap --keyring=$KEYRING $DISTNAME $DISTNAME $DEBIAN_REPO && \
 cd $DISTNAME && \
 tar -c . | docker import - gdm85/$DISTNAME
 RV=$?
diff --git a/docker/scripts/create-gitian-host.sh b/docker/scripts/create-gitian-host.sh
index ccc3417..6f6ea8f 100755
--- a/docker/scripts/create-gitian-host.sh
+++ b/docker/scripts/create-gitian-host.sh
@@ -37,7 +37,7 @@ echo "Now building base VMs" && \
 IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' $CID) && \
 wait_for_ssh $IP 10 && \
 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no debian@$IP ./build-base-vms.sh && \
-docker stop $CID && \
+docker kill $CID && \
 docker commit $CID gdm85/gitian-host-vms && \
 docker rm $CID && \
 echo "Gitian host images created successfully!" && \