Build install kernel & Client with verifiable repos
George {Skip} F VerDuin
gfv2014 at charter.net
Mon Oct 19 09:15:43 CEST 2015
Greetings.
While building install kernel, apt is configured to ignore failure of
validation against gpg keys.
I presume the setting is a convenience, not a workaround for an apt bug.
No -- I have not been hurt by the setting, the build seems secure
without passing validation.
But -- I worked a while to provide keys for validation anyway. Without
success.
OK -- a short explanation:
I provided a FAI Project repo to
faiserver/etc/fai/apt/sources.list.d/fai.list and it works.
I provided a FAI Project key to faiserver/etc/fai/apt/trusted.gpg too.
I also provided a key to faiserver/etc/fai/apt/trusted.gpg.d/fai.gpg
just for fun.
apt-key list shows the key:
pub 4096R/074BCDE4 2013-07-30
uid Thomas Lange <lange at informatik.uni-koeln.de>
uid Thomas Lange <lange at debian.org>
sub 4096R/517A03DA 2013-07-30
in both files it was loaded into. I have validated that the key does
appear in /srv/fai/nfsroot/etc/apt/trusted.gpg.
But -- /var/log/fai/fai-setup.log shows the following:
WARNING: untrusted versions of the following packages will be installed!
Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.
fai-nfsroot fai-client fai-setup-storage liblinux-lvm-perl
SO -- what am I missing? Apt in the chroot is configured to
specifically do the work of validation, but fails. Is there any hope
that validation might be made to work for both install kernel and client?
It is not a hot issue, but thanks in advance for any insight.
Skip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20151019/038f42ba/attachment.html>
More information about the linux-fai
mailing list