Using gpg-authenticated debian-archives: Difference between revisions

From FAIWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
read http://wiki.debian.org/SecureApt
do this inside the nfsroot if needed:
do this inside the nfsroot if needed:


apt-get install gnupg debian-keyring gpg --recv-keys 4F368D5D
<pre>
apt-get install gnupg debian-keyring  
gpg --keyserver hkp://subkeys.pgp.net --recv-keys 4F368D5D
</pre>
(adjust the key ID and keyserver as needed)


FAI_DEBOOTSTRAP_OPTS="--include=gnupg" is half of whats needed.
Adding
<pre>
FAI_DEBOOTSTRAP_OPTS="--include=gnupg"  
</pre>
to make-fai-nfsroot.conf then you don't need to install gnupkg manually.
 
hmm. I checked this again. I removed my previpus comment before, because I thought it's stupid from me to say this doesn't work because of the wron key ID. But there's something else wrong:
You don't need these keys in the nfsroot! You need them in the install target. Therefore, you must do these things either in the base.tgz, (or whatever image you are using when having multiple base images), or you have to import the keys with some hook before the actual package installation.
--[[User:Lazyboy|lazyboy]] 22:30, 14 October 2007 (CEST)




Line 12: Line 26:
If you run a archive make sure that you have a toplevel Release file (create it with apt-ftparchive release) and sign it a key (with gpg -abs -o Release.gpg Release). Then tell your users what key they need to import.
If you run a archive make sure that you have a toplevel Release file (create it with apt-ftparchive release) and sign it a key (with gpg -abs -o Release.gpg Release). Then tell your users what key they need to import.


= howto create a local mirror incl. security.debian.org =


http://www.psycast.de/blog/?postid=30 (german, will do a translation soon)
 
[[Category:Howto]]

Latest revision as of 22:24, 30 January 2019

read http://wiki.debian.org/SecureApt

do this inside the nfsroot if needed:

apt-get install gnupg debian-keyring 
gpg --keyserver hkp://subkeys.pgp.net --recv-keys 4F368D5D

(adjust the key ID and keyserver as needed)

Adding

FAI_DEBOOTSTRAP_OPTS="--include=gnupg" 

to make-fai-nfsroot.conf then you don't need to install gnupkg manually.

hmm. I checked this again. I removed my previpus comment before, because I thought it's stupid from me to say this doesn't work because of the wron key ID. But there's something else wrong: You don't need these keys in the nfsroot! You need them in the install target. Therefore, you must do these things either in the base.tgz, (or whatever image you are using when having multiple base images), or you have to import the keys with some hook before the actual package installation. --lazyboy 22:30, 14 October 2007 (CEST)


For people running an archive repository

(taken from http://wiki.debian.org/apt06 - go to that page and read it!)

If you run a archive make sure that you have a toplevel Release file (create it with apt-ftparchive release) and sign it a key (with gpg -abs -o Release.gpg Release). Then tell your users what key they need to import.