Build install kernel & Client with verifiable repos

George {Skip} F VerDuin gfv2014 at charter.net
Mon Oct 19 09:15:43 CEST 2015


Greetings.

While building install kernel, apt is configured to ignore failure of 
validation against gpg keys.
I presume the setting is a convenience, not a workaround for an apt bug.
No -- I have not been hurt by the setting, the build seems secure 
without passing validation.
But -- I worked a while to provide keys for validation anyway. Without 
success.

OK -- a short explanation:
I provided a FAI Project repo to 
faiserver/etc/fai/apt/sources.list.d/fai.list  and it works.
I provided a FAI Project key to faiserver/etc/fai/apt/trusted.gpg too.
I also provided a key to faiserver/etc/fai/apt/trusted.gpg.d/fai.gpg  
just for fun.

apt-key list shows the key:

    pub   4096R/074BCDE4 2013-07-30
    uid                  Thomas Lange <lange at informatik.uni-koeln.de>
    uid                  Thomas Lange <lange at debian.org>
    sub   4096R/517A03DA 2013-07-30

in both files it was loaded into.  I have validated that the key does 
appear in /srv/fai/nfsroot/etc/apt/trusted.gpg.

But -- /var/log/fai/fai-setup.log shows the following:

    WARNING: untrusted versions of the following packages will be installed!

    Untrusted packages could compromise your system's security.
    You should only proceed with the installation if you are certain that
    this is what you want to do.

       fai-nfsroot fai-client fai-setup-storage liblinux-lvm-perl

SO -- what am I missing?  Apt in the chroot is configured to 
specifically do the work of validation, but fails.  Is there any hope 
that validation might be made to work for both install kernel and client?

It is not a hot issue, but thanks in advance for any insight.
Skip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20151019/038f42ba/attachment.html>


More information about the linux-fai mailing list