Generating a new ubuntu-keyring .deb to sign ISO CD

Dimitri John Ledkov xnox at ubuntu.com
Tue Oct 25 11:11:01 UTC 2016 

On 25 October 2016 at 12:00, Stefani Seibold <stefani at seibold.net> wrote:
> Hi,
>
> i want modify an existing ubuntu 16.10 iso image to provide a new
> kernel for a server device which is currently in development and yet
> not on the market.
>
> I trying to build a new ubuntu-keyring.deb to sign my modified packages
> in the ISO Image. I followed the instructions provided by Ubuntu  (http
> s://help.ubuntu.com/community/InstallCDCustomization), but without
> success.
>
> When i follow the instructions in the chapter "Generating a new ubuntu-
> keyring .deb to sign your CD" i get a lot off errors:
>
> dpkg-buildpackage -rfakeroot -m"Myname <myname at myhost.net>" -k7F6D4417D881EFC3E7FA02E636F2F7B4F8A2CAC9
> dpkg-buildpackage: info: source package ubuntu-keyring
> dpkg-buildpackage: info: source version 2016.09.19
> dpkg-buildpackage: info: source distribution yakkety
> dpkg-buildpackage: info: host architecture amd64
>  dpkg-source --before-build ubuntu-keyring-2016.09.19
>  fakeroot debian/rules clean
> test -f keyrings/ubuntu-archive-keyring.gpg
> rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars
> rm -rf debian/tmp debian/ubuntu-keyring-udeb
>  dpkg-source -b ubuntu-keyring-2016.09.19
> dpkg-source: warning: no source format specified in debian/source/format, see dpkg-source(1)
> dpkg-source: info: using source format '1.0'
> dpkg-source: info: building ubuntu-keyring in ubuntu-keyring_2016.09.19.tar.gz
> dpkg-source: info: building ubuntu-keyring in ubuntu-keyring_2016.09.19.dsc
>  debian/rules build
> make: Nothing to be done for 'build'.
>  fakeroot debian/rules binary
> test -f keyrings/ubuntu-archive-keyring.gpg
> test root = "`whoami`"
> gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c -
> gpg: Signature made Mon Sep 19 19:22:17 2016 CEST
> gpg:                using RSA key CAC2D8B9CD2CA5F9
> keyrings/ubuntu-archive-keyring.gpg: OK
> keyrings/ubuntu-archive-removed-keys.gpg: OK
> keyrings/ubuntu-keyring-2004-archive.gpg: OK
> keyrings/ubuntu-keyring-2004-cdimage.gpg: OK
> keyrings/ubuntu-keyring-2012-archive.gpg: OK
> keyrings/ubuntu-keyring-2012-cdimage.gpg: OK
> keyrings/ubuntu-master-keyring.gpg: OK
> gpg: BAD signature from "Dimitri John Ledkov <xnox at ubuntu.com>" [unknown]
> gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg --decrypt md5sums.txt | md5sum -c -
> gpg: Signature made Sat May 19 03:30:13 2012 CEST
> gpg:                using RSA key 393587D97D86500B
> keyrings/ubuntu-archive-keyring.gpg: FAILED
> gpg: Good signature from "Colin Watson <cjwatson at chiark.greenend.org.uk>" [unknown]
> gpg:                 aka "Colin Watson <cjwatson at debian.org>" [unknown]
> gpg:                 aka "Colin Watson <cjwatson at ubuntu.com>" [unknown]
> gpg:                 aka "Colin Watson <cjwatson at canonical.com>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: AC0A 4FF1 2611 B6FC CF01  C111 3935 87D9 7D86 500B
> md5sum: WARNING: 1 computed checksum did NOT match
> debian/rules:92: recipe for target 'checkkeyrings' failed
> make: *** [checkkeyrings] Error 1
> dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
>
> Any idea? Is there a instruction manual or a how to which gives me
> detailed instructions how i can modify an existing iso image?
>
> I am not sure it this is the right mailing list for my question, please
> feel free to tell me the right one ;-)
>

I added these extra validation checks in the ubuntu-keyring package to
make sure that signing keys are not modified by accident, and to make
sure that checksums are signed by semi known-to-be-good keys.

To bypass these checks comment out commands under the "checkkeyrings:" target.

NB! Do make sure you ship your key as a key fragment in
/etc/apt/trusted.gpg.d/ as apt-key is no longer called, and from
yakkety and up signing keys must be shipped as individually exported
keys in /etc/apt/trusted.gpg.d directory.

Ideally d-i would support key fragments just like installed systems
can, then one wouldn't need to rebuild ubuntu-keyring at all.

-- 
Regards,

Dimitri.

More information about the Ubuntu-devel-discuss mailing list