Generating a new ubuntu-keyring .deb to sign ISO CD

Dimitri John Ledkov xnox at ubuntu.com
Tue Oct 25 13:35:59 UTC 2016 

On 25 October 2016 at 14:15, Stefani Seibold <stefani at seibold.net> wrote:
> On 25 October 2016 at 12:00, Stefani Seibold <stefani at seibold.net>
>> wrote:
>> >
>> > Hi,
>> >
>> > i want modify an existing ubuntu 16.10 iso image to provide a new
>> > kernel for a server device which is currently in development and
>> > yet
>> > not on the market.
>> >
>> > I trying to build a new ubuntu-keyring.deb to sign my modified
>> > packages
>> > in the ISO Image. I followed the instructions provided by
>> > Ubuntu  (http
>> > s://help.ubuntu.com/community/InstallCDCustomization), but without
>> > success.
>> >
>> > When i follow the instructions in the chapter "Generating a new
>> > ubuntu-
>> > keyring .deb to sign your CD" i get a lot off errors:
>> >
>> > dpkg-buildpackage -rfakeroot -m"Myname <myname at myhost.net>"
>> > -k7F6D4417D881EFC3E7FA02E636F2F7B4F8A2CAC9
>> > dpkg-buildpackage: info: source package ubuntu-keyring
>> > dpkg-buildpackage: info: source version 2016.09.19
>> > dpkg-buildpackage: info: source distribution yakkety
>> > dpkg-buildpackage: info: host architecture amd64
>> >  dpkg-source --before-build ubuntu-keyring-2016.09.19
>> >  fakeroot debian/rules clean
>> > test -f keyrings/ubuntu-archive-keyring.gpg
>> > rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars
>> > rm -rf debian/tmp debian/ubuntu-keyring-udeb
>> >  dpkg-source -b ubuntu-keyring-2016.09.19
>> > dpkg-source: warning: no source format specified in
>> > debian/source/format, see dpkg-source(1)
>> > dpkg-source: info: using source format '1.0'
>> > dpkg-source: info: building ubuntu-keyring in ubuntu-
>> > keyring_2016.09.19.tar.gz
>> > dpkg-source: info: building ubuntu-keyring in ubuntu-
>> > keyring_2016.09.19.dsc
>> >  debian/rules build
>> > make: Nothing to be done for 'build'.
>> >  fakeroot debian/rules binary
>> > test -f keyrings/ubuntu-archive-keyring.gpg
>> > test root = "`whoami`"
>> > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-
>> > keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c -
>> > gpg: Signature made Mon Sep 19 19:22:17 2016 CEST
>> > gpg:                using RSA key CAC2D8B9CD2CA5F9
>> > keyrings/ubuntu-archive-keyring.gpg: OK
>> > keyrings/ubuntu-archive-removed-keys.gpg: OK
>> > keyrings/ubuntu-keyring-2004-archive.gpg: OK
>> > keyrings/ubuntu-keyring-2004-cdimage.gpg: OK
>> > keyrings/ubuntu-keyring-2012-archive.gpg: OK
>> > keyrings/ubuntu-keyring-2012-cdimage.gpg: OK
>> > keyrings/ubuntu-master-keyring.gpg: OK
>> > gpg: BAD signature from "Dimitri John Ledkov <xnox at ubuntu.com>"
>> > [unknown]
>> > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-
>> > keyring.gpg --decrypt md5sums.txt | md5sum -c -
>> > gpg: Signature made Sat May 19 03:30:13 2012 CEST
>> > gpg:                using RSA key 393587D97D86500B
>> > keyrings/ubuntu-archive-keyring.gpg: FAILED
>> > gpg: Good signature from "Colin Watson <cjwatson at chiark.greenend.or
>> > g.uk>" [unknown]
>> > gpg:                 aka "Colin Watson <cjwatson at debian.org>"
>> > [unknown]
>> > gpg:                 aka "Colin Watson <cjwatson at ubuntu.com>"
>> > [unknown]
>> > gpg:                 aka "Colin Watson <cjwatson at canonical.com>"
>> > [unknown]
>> > gpg: WARNING: This key is not certified with a trusted signature!
>> > gpg:          There is no indication that the signature belongs to
>> > the owner.
>> > Primary key fingerprint: AC0A 4FF1 2611 B6FC CF01  C111 3935 87D9
>> > 7D86 500B
>> > md5sum: WARNING: 1 computed checksum did NOT match
>> > debian/rules:92: recipe for target 'checkkeyrings' failed
>> > make: *** [checkkeyrings] Error 1
>> > dpkg-buildpackage: error: fakeroot debian/rules binary gave error
>> > exit status 2
>> >
>> > Any idea? Is there a instruction manual or a how to which gives me
>> > detailed instructions how i can modify an existing iso image?
>> >
>> > I am not sure it this is the right mailing list for my question,
>> > please
>> > feel free to tell me the right one ;-)
>> >
>>
>> I added these extra validation checks in the ubuntu-keyring package
>> to
>> make sure that signing keys are not modified by accident, and to make
>> sure that checksums are signed by semi known-to-be-good keys.
>>
>> To bypass these checks comment out commands under the
>> "checkkeyrings:" target.
>>
>> NB! Do make sure you ship your key as a key fragment in
>> /etc/apt/trusted.gpg.d/ as apt-key is no longer called, and from
>> yakkety and up signing keys must be shipped as individually exported
>> keys in /etc/apt/trusted.gpg.d directory.
>>
>> Ideally d-i would support key fragments just like installed systems
>> can, then one wouldn't need to rebuild ubuntu-keyring at all.
>
> This brings me one step further.
>
> Now i can build the ubuntu-keyring packages. But the installation fails
> i copy the results to cd:
>
> cp ./ubuntu-keyring_2016.09.19_all.deb cd/pool/main/u/ubuntu-keyring/ubuntu-keyring_2016.09.19_all.deb
> cp ./ubuntu-keyring-udeb_2016.09.19_all.udeb cd/pool/main/u/ubuntu-keyring/ubuntu-keyring-udeb_2016.09.19_all.udeb

You must use higher version number.... e.g. use $ dch -i and use a
sensible version number and describe your changes, e.g. use
2016.09.19+namexx1 for version number or similar.

Can you paste contents of your ubuntu-keyring_*_all.deb? e.g. output
of $ dpkg-deb -c ubuntu-keyring_*_all.deb

> apt_ftparchive -c config-rel release cd/dists/yakkety > cd/dists/yakkety/Release
> gpg --yes --no-default-keyring --keyring ./ubuntu-archive-keyring.gpg -a --default-key <mykey> --output cd/dists/yakkety/Release.gpg --detach-sig cd/dists/yakkety/Release
> cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*" -follow -type f` > md5sum.txt; cd ..
> genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4 -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat ./cd
>
> The cd installation will abort with
>
> apt configuration problem
> An attempt to configure apt to install additional packages from CD
> failed.
>
> The debug output on vt4 show me
>
> gpgv: Signature made Tue ....
> gpgv:  using RSA key
> gpgv: Can't check signature: No public key
>  .
>  .
> apt-setup: W: Signature verification failed for /media/cdrom/diss/yakkety/Release.gpg
>
> I verified the install ubuntu-archive-keyring.gpg on my build host with
>
> gpgv --keyring ./ubuntu-archive-keyring.gpg cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release

ubuntu-archive-keyring.gpg file is not used by apt, on installed
systems, in yakkety and up.

gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg
cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release

must work, and for that you must ship
/etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring .deb
package.

> gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST
> gpgv:                using RSA key
> gpgv: Good signature from "Signing Key Namexx <xxx at yyy.com>"
>
> So it looks good for me. Any idea?
>



-- 
Regards,

Dimitri.

More information about the Ubuntu-devel-discuss mailing list