a problem of ubuntu build system

Seth Forshee seth.forshee at canonical.com
Fri Jun 18 12:44:27 UTC 2021

Please send emails to this mailing list as plain text, not

On Fri, Jun 18, 2021 at 11:38:34AM +0800, hanguangyu1268 wrote:
> hi,
> how can I build ubuntu kernel with signed?
> run fakeroot debian/rules binary
> I hope get linux-image-signed-5.x.x.$(myarch).deb

You cannot get a signed kernel as an output from our linux package
build. It doesn't produce a signed kernel, as the actual signing of
kernels for Ubuntu is done by launchpad.

What you can do is create your own signing key and use sbsign to sign
kernels you build with that key. In order to boot those kernels under
UEFI secure boot you will need to enrol the key with shim as a MOK. Here
is some information about doing this:


Be sure to read that carefully, as it notes changes which are required
to the openssl.cnf as given in order to sign kernels. There's an OID
which must be removed from extendedKeyUsage, or else the key will only
be valid for signing modules.


More information about the kernel-team mailing list