I think we cannot fix it in this way. gpg --export 2BF8D9FE074BCDE4 may not work, if the key is not already downloaded and available for gpg. I also do not want to force to install the package debian-keyring on the fai server. And we should not create a file when calling fai-make-nfsroot under /etc which is normally a config file.
The idea is to ship the gpg key directly in the fai-server package. So I would add the file /etc/fai/apt/trusted.gpg.d/fai-project.gpg to the package fai-server. What do you think? -- regards Thomas