Build install kernel & Client with verifiable repos
Thomas Lange
lange at informatik.uni-koeln.de
Mon Oct 19 14:53:06 CEST 2015
>>>>> On Mon, 19 Oct 2015 03:15:43 -0400, George {Skip} F VerDuin <gfv2014 at charter.net> said:
> OK -- a short explanation:
> I provided a FAI Project repo to faiserver/etc/fai/apt/sources.list.d/fai.list and it works.
> I provided a FAI Project key to faiserver/etc/fai/apt/trusted.gpg too.
> I also provided a key to faiserver/etc/fai/apt/trusted.gpg.d/fai.gpg just for fun.
> apt-key list shows the key:
> pub 4096R/074BCDE4 2013-07-30
> in both files it was loaded into. I have validated that the key does appear in /srv/fai/nfsroot/etc/apt/trusted.gpg.
> But -- /var/log/fai/fai-setup.log shows the following:
> WARNING: untrusted versions of the following packages will be installed!
> Untrusted packages could compromise your system's security.
> You should only proceed with the installation if you are certain that
> this is what you want to do.
> fai-nfsroot fai-client fai-setup-storage liblinux-lvm-perl
> SO -- what am I missing? Apt in the chroot is configured to specifically do the work of validation, but fails. Is there any hope that validation might be made to work for both install kernel
> and client?
Mmm, it should be working as I understand apt-key. You can put the key
in a file into /etc/fai/apt/keys/*.asc then this will be loaded via
apt-key add when building the nfsroot. I will also add code into
fai-make-nfsroot, that adds the official key of the fai-project
repository into the nfsroot by default.
--
regards Thomas
More information about the linux-fai
mailing list