Using trusted.gpg is deprecated.
Just use another dir and add to the list files a "signed-by" option.
Diego
Il 17/07/25 06:53, Scott Ferguson ha scritto:
On 14/7/25 14:00, Scott Ferguson wrote:
Debian Bookworm fai-server running latest fai-project packages,
creating installation .iso images for Debian Bookworm clients.
I have put the .gpg keys in $NFSROOT/etc/apt/trusted.gpg.d (per 2010
instructions on this mailing list as I failed to find another guide)
"sudo chroot /srv/fai/nfsroot apt-key list" shows them there. However
when I create the .iso image only the default .gpg keys are there
(not the ones I added).
I used:
sudo fai-make-nfsroot -fs
cl=DEBIAN,DHCPC,DEMO,FAIBASE,BOOKWORM,ONE,BACKPORTS,SSH_SERVER,STANDARD,NONFREE,RECOMMENDS,FAIME,GRUB_PC,GRUB_EFI,AMD64
sudo fai-mirror -C /etc/fai -m1 -c$cl /srv/fai/mirror
sudo fai-cd -C /etc/fai -g grub.cfg.install-only -m/srv/fai/mirror
/media/host/test.iso
Kind regards
Some more information:-
root@fai:/srv/fai/nfsroot/etc/apt/trusted.gpg.d# ls -al
total 124
drwxr-xr-x 2 root root 4096 Jul 12 22:18 .
drwxr-xr-x 8 root root 4096 Jul 12 17:29 ..
-rw-r--r-- 1 root root 2484 Mar 25 02:22
brave-browser-archive-keyring.gpg
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-bookworm-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-bookworm-security-automatic.asc
-rw-r--r-- 1 root root 461 Apr 10 09:04
debian-archive-bookworm-stable.asc
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-bullseye-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-bullseye-security-automatic.asc
-rw-r--r-- 1 root root 3403 Apr 10 09:04
debian-archive-bullseye-stable.asc
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-trixie-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-trixie-security-automatic.asc
-rw-r--r-- 1 root root 1384 Apr 10 09:04
debian-archive-trixie-stable.asc
-rw-r--r-- 1 root root 2824 May 17 07:01 fai-project.gpg
-rw-r--r-- 1 root root 12775 Jul 12 07:36 google-chrome.gpg
-rw-r--r-- 1 root root 2223 Aug 12 2024 signal-desktop-keyring.gpg
-rw-r--r-- 1 root root 2288 May 16 14:14 tailscale-archive-keyring.gpg
On the machine built from the generated .iso
root@t490s:/etc/apt/trusted.gpg.d# ls -al
total 96
drwxr-xr-x 2 root root 4096 Jul 17 14:17 .
drwxr-xr-x 9 root root 4096 Jul 17 14:21 ..
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-bookworm-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-bookworm-security-automatic.asc
-rw-r--r-- 1 root root 461 Apr 10 09:04
debian-archive-bookworm-stable.asc
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-bullseye-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-bullseye-security-automatic.asc
-rw-r--r-- 1 root root 3403 Apr 10 09:04
debian-archive-bullseye-stable.asc
-rw-r--r-- 1 root root 11861 Apr 10 09:04
debian-archive-trixie-automatic.asc
-rw-r--r-- 1 root root 11873 Apr 10 09:04
debian-archive-trixie-security-automatic.asc
-rw-r--r-- 1 root root 1384 Apr 10 09:04
debian-archive-trixie-stable.asc
-rw-r--r-x 1 root root 2824 Nov 8 2019 DEBIAN.gpg
I understand how the DEBIAN.gpg key gets there, and 'could' include my
three third-party keys by creating a new class for each of the keys
and then including those keys in $FAI_CONFIGDIR/package_config
e.g. classes SIGNAL, TAILSCALE, GCHROME and SIGNAL.gpg, TAILSCALE.gpg
and GCHROME.gpg - which 'seems' right, but doesn't explain by
fai-project.gpg ends up in $NFSROOT/etc/apt/trusted.gpg in the first
place even though it doesn't wind up in the created .iso. I suspect
that is just lint from earlier versions of fai, but would appreciate a
more educated opinion.
I am using fai-quickstart 6.4.1
Kind regards
