--- a/coverage.sh
+++ b/coverage.sh
@@ -2,15 +2,16 @@
 
 set -eu
 
-perltidy < mmdebstrap > mmdebstrap.tdy
+TMPFILE=$(mktemp)
+perltidy < mmdebstrap > "$TMPFILE"
 ret=0
-diff -u mmdebstrap mmdebstrap.tdy || ret=$?
+diff -u mmdebstrap "$TMPFILE" || ret=$?
 if [ "$ret" -ne 0 ]; then
 	echo "perltidy failed" >&2
-	rm mmdebstrap.tdy
+	rm "$TMPFILE"
 	exit 1
 fi
-rm mmdebstrap.tdy
+rm "$TMPFILE"
 
 if [ $(wc -L < mmdebstrap) -gt 79 ]; then
 	echo "exceeded maximum line length of 79 characters" >&2
@@ -1256,7 +1257,9 @@ if [ ! -e /mmdebstrap-testenv ]; then
 	exit 1
 fi
 rm /etc/apt/trusted.gpg.d/*.gpg
-$CMD --mode=root --variant=apt --keyring=/usr/share/keyrings/debian-archive-keyring.gpg --keyring=/usr/share/keyrings/ $DEFAULT_DIST /tmp/debian-chroot $mirror
+$CMD --mode=root --variant=apt --keyring=/usr/share/keyrings/debian-archive-keyring.gpg --keyring=/usr/share/keyrings/ $DEFAULT_DIST /tmp/debian-chroot "deb $mirror $DEFAULT_DIST main"
+# make sure that no [signedby=...] managed to make it into the sources.list
+echo "deb $mirror $DEFAULT_DIST main" | cmp /tmp/debian-chroot/etc/apt/sources.list -
 tar -C /tmp/debian-chroot --one-file-system -c . | tar -t | sort | diff -u tar1.txt -
 rm -r /tmp/debian-chroot
 END
@@ -1277,7 +1280,9 @@ mkdir -p emptydir
 touch emptyfile
 # this overwrites the apt keyring options and should fail
 ret=0
-$CMD --mode=root --variant=apt --keyring=./emptydir --keyring=./emptyfile $DEFAULT_DIST /tmp/debian-chroot $mirror || ret=\$?
+$CMD --mode=root --variant=apt --keyring=./emptydir --keyring=./emptyfile $DEFAULT_DIST /tmp/debian-chroot "deb $mirror $DEFAULT_DIST main" || ret=\$?
+# make sure that no [signedby=...] managed to make it into the sources.list
+echo "deb $mirror $DEFAULT_DIST main" | cmp /tmp/debian-chroot/etc/apt/sources.list -
 rm -r /tmp/debian-chroot
 rmdir emptydir
 rm emptyfile
@@ -1590,9 +1595,9 @@ echo copy-in-customize > /tmp/copy-in-cu
 echo tar-in-setup > /tmp/tar-in-setup
 echo tar-in-essential > /tmp/tar-in-essential
 echo tar-in-customize > /tmp/tar-in-customize
-tar -C /tmp -cf /tmp/tar-in-setup.tar tar-in-setup
-tar -C /tmp -cf /tmp/tar-in-essential.tar tar-in-essential
-tar -C /tmp -cf /tmp/tar-in-customize.tar tar-in-customize
+tar --numeric-owner -C /tmp -cf /tmp/tar-in-setup.tar tar-in-setup
+tar --numeric-owner -C /tmp -cf /tmp/tar-in-essential.tar tar-in-essential
+tar --numeric-owner -C /tmp -cf /tmp/tar-in-customize.tar tar-in-customize
 rm /tmp/tar-in-setup
 rm /tmp/tar-in-essential
 rm /tmp/tar-in-customize
@@ -1807,8 +1812,7 @@ export LC_ALL=C.UTF-8
 $CMD --mode=root --variant=apt --logfile=log $DEFAULT_DIST /tmp/debian-chroot $mirror
 # we check the full log to also prevent debug printfs to accidentally make it into a commit
 cat << LOG | diff - log
-I: chroot architecture amd64 is equal to the host's architecture
-I: gpg --version failed: cannot determine the right signed-by value
+I: chroot architecture $HOSTARCH is equal to the host's architecture
 I: running apt-get update...
 I: downloading packages with apt...
 I: extracting archives...
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -2350,7 +2350,7 @@ sub hookhelper {
         # path that is valid on the outside -- fakechroot and proot have their
         # own reasons, see below
         my @cmdprefix = ();
-        my @tarcmd    = ('tar');
+        my @tarcmd    = ('tar', '--numeric-owner');
         if ($hook eq 'setup') {
             if ($mode eq 'proot') {
                 # since we cannot run tar inside the chroot under proot during
@@ -3906,7 +3906,7 @@ sub main() {
                 # Open a tar process creating a tarfile of the instructed
                 # path. To emulate the behaviour of cp, change to the
                 # dirname of the requested path first.
-                open my $fh, '-|', 'tar', '--directory',
+                open my $fh, '-|', 'tar', '--numeric-owner', '--directory',
                   $msg eq 'mktar' ? dirname($indir) : $indir,
                   '--create', '--file', '-',
                   $msg eq 'mktar' ? basename($indir) : '.'
@@ -3975,8 +3975,9 @@ sub main() {
 
                 # now we expect one or more "write" messages containing the
                 # tarball to unpack
-                open my $fh, '|-', 'tar', '--directory', $outdir, '--extract',
-                  '--file', '-' // error "failed to fork(): $!";
+                open my $fh, '|-', 'tar', '--numeric-owner', '--directory',
+                  $outdir, '--extract', '--file',
+                  '-' // error "failed to fork(): $!";
 
                 # handle "write" messages from the child process and feed
                 # their payload into the tar process until a "close" message
