Using gpg-authenticated debian-archives
read http://wiki.debian.org/SecureApt
do this inside the nfsroot if needed:
apt-get install gnupg debian-keyring gpg --keyserver hkp://subkeys.pgp.net --recv-keys 4F368D5D
(adjust the key ID and keyserver as needed)
Adding
FAI_DEBOOTSTRAP_OPTS="--include=gnupg"
to make-fai-nfsroot.conf then you don't need to install gnupkg manually.
hmm. I checked this again. I removed my previpus comment before, because I thought it's stupid from me to say this doesn't work because of the wron key ID. But there's something else wrong: You don't need these keys in the nfsroot! You need them in the install target. Therefore, you must do these things either in the base.tgz, (or whatever image you are using when having multiple base images), or you have to import the keys with some hook before the actual package installation. --lazyboy 22:30, 14 October 2007 (CEST)
For people running an archive repository
(taken from http://wiki.debian.org/apt06 - go to that page and read it!)
If you run a archive make sure that you have a toplevel Release file (create it with apt-ftparchive release) and sign it a key (with gpg -abs -o Release.gpg Release). Then tell your users what key they need to import.
howto create a local mirror incl. security.debian.org
http://www.psycast.de/blog/?postid=30 (german, will do a translation soon)