Build install kernel & Client with verifiable repos

Thomas Lange lange at
Mon Oct 19 14:53:06 CEST 2015

>>>>> On Mon, 19 Oct 2015 03:15:43 -0400, George {Skip} F VerDuin <gfv2014 at> said:

    > OK -- a short explanation:
    > I provided a FAI Project repo to faiserver/etc/fai/apt/sources.list.d/fai.list  and it works.
    > I provided a FAI Project key to faiserver/etc/fai/apt/trusted.gpg  too.
    > I also provided a key to faiserver/etc/fai/apt/trusted.gpg.d/fai.gpg  just for fun.

    > apt-key list shows the key:

    >     pub   4096R/074BCDE4 2013-07-30

    > in both files it was loaded into.  I have validated that the key does appear in /srv/fai/nfsroot/etc/apt/trusted.gpg.
    > But -- /var/log/fai/fai-setup.log shows the following:

    >     WARNING: untrusted versions of the following packages will be installed!
    >     Untrusted packages could compromise your system's security.
    >     You should only proceed with the installation if you are certain that
    >     this is what you want to do.
    >       fai-nfsroot fai-client fai-setup-storage liblinux-lvm-perl

    > SO -- what am I missing?  Apt in the chroot is configured to specifically do the work of validation, but fails.  Is there any hope that validation might be made to work for both install kernel
    > and client?
Mmm, it should be working as I understand apt-key. You can put the key
in a file into /etc/fai/apt/keys/*.asc then this will be loaded via
apt-key add when building the nfsroot. I will also add code into
fai-make-nfsroot, that adds the official key of the fai-project
repository into the nfsroot by default.

regards Thomas

More information about the linux-fai mailing list