Generating a new ubuntu-keyring .deb to sign ISO CD
Stefani Seibold
stefani at seibold.net
Tue Oct 25 20:56:25 UTC 2016
Am Dienstag, den 25.10.2016, 14:35 +0100 schrieb Dimitri John Ledkov:
> On 25 October 2016 at 14:15, Stefani Seibold <stefani at seibold.net>
> wrote:
> >
> > On 25 October 2016 at 12:00, Stefani Seibold <stefani at seibold.net>
> > >
> > > wrote:
> > > >
> > > >
> > > > Hi,
> > > >
> > > > i want modify an existing ubuntu 16.10 iso image to provide a
> > > > new
> > > > kernel for a server device which is currently in development
> > > > and
> > > > yet
> > > > not on the market.
> > > >
> > > > I trying to build a new ubuntu-keyring.deb to sign my modified
> > > > packages
> > > > in the ISO Image. I followed the instructions provided by
> > > > Ubuntu (http
> > > > s://help.ubuntu.com/community/InstallCDCustomization), but
> > > > without
> > > > success.
> > > >
> > > > When i follow the instructions in the chapter "Generating a new
> > > > ubuntu-
> > > > keyring .deb to sign your CD" i get a lot off errors:
> > > >
> > > > dpkg-buildpackage -rfakeroot -m"Myname <myname at myhost.net>"
> > > > -k7F6D4417D881EFC3E7FA02E636F2F7B4F8A2CAC9
> > > > dpkg-buildpackage: info: source package ubuntu-keyring
> > > > dpkg-buildpackage: info: source version 2016.09.19
> > > > dpkg-buildpackage: info: source distribution yakkety
> > > > dpkg-buildpackage: info: host architecture amd64
> > > > dpkg-source --before-build ubuntu-keyring-2016.09.19
> > > > fakeroot debian/rules clean
> > > > test -f keyrings/ubuntu-archive-keyring.gpg
> > > > rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars
> > > > rm -rf debian/tmp debian/ubuntu-keyring-udeb
> > > > dpkg-source -b ubuntu-keyring-2016.09.19
> > > > dpkg-source: warning: no source format specified in
> > > > debian/source/format, see dpkg-source(1)
> > > > dpkg-source: info: using source format '1.0'
> > > > dpkg-source: info: building ubuntu-keyring in ubuntu-
> > > > keyring_2016.09.19.tar.gz
> > > > dpkg-source: info: building ubuntu-keyring in ubuntu-
> > > > keyring_2016.09.19.dsc
> > > > debian/rules build
> > > > make: Nothing to be done for 'build'.
> > > > fakeroot debian/rules binary
> > > > test -f keyrings/ubuntu-archive-keyring.gpg
> > > > test root = "`whoami`"
> > > > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-
> > > > keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c -
> > > > gpg: Signature made Mon Sep 19 19:22:17 2016 CEST
> > > > gpg: using RSA key CAC2D8B9CD2CA5F9
> > > > keyrings/ubuntu-archive-keyring.gpg: OK
> > > > keyrings/ubuntu-archive-removed-keys.gpg: OK
> > > > keyrings/ubuntu-keyring-2004-archive.gpg: OK
> > > > keyrings/ubuntu-keyring-2004-cdimage.gpg: OK
> > > > keyrings/ubuntu-keyring-2012-archive.gpg: OK
> > > > keyrings/ubuntu-keyring-2012-cdimage.gpg: OK
> > > > keyrings/ubuntu-master-keyring.gpg: OK
> > > > gpg: BAD signature from "Dimitri John Ledkov <xnox at ubuntu.com>"
> > > > [unknown]
> > > > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-
> > > > keyring.gpg --decrypt md5sums.txt | md5sum -c -
> > > > gpg: Signature made Sat May 19 03:30:13 2012 CEST
> > > > gpg: using RSA key 393587D97D86500B
> > > > keyrings/ubuntu-archive-keyring.gpg: FAILED
> > > > gpg: Good signature from "Colin Watson <cjwatson at chiark.greenen
> > > > d.or
> > > > g.uk>" [unknown]
> > > > gpg: aka "Colin Watson <cjwatson at debian.org>"
> > > > [unknown]
> > > > gpg: aka "Colin Watson <cjwatson at ubuntu.com>"
> > > > [unknown]
> > > > gpg: aka "Colin Watson <cjwatson at canonical.com>
> > > > "
> > > > [unknown]
> > > > gpg: WARNING: This key is not certified with a trusted
> > > > signature!
> > > > gpg: There is no indication that the signature belongs
> > > > to
> > > > the owner.
> > > > Primary key fingerprint: AC0A 4FF1 2611 B6FC CF01 C111 3935
> > > > 87D9
> > > > 7D86 500B
> > > > md5sum: WARNING: 1 computed checksum did NOT match
> > > > debian/rules:92: recipe for target 'checkkeyrings' failed
> > > > make: *** [checkkeyrings] Error 1
> > > > dpkg-buildpackage: error: fakeroot debian/rules binary gave
> > > > error
> > > > exit status 2
> > > >
> > > > Any idea? Is there a instruction manual or a how to which gives
> > > > me
> > > > detailed instructions how i can modify an existing iso image?
> > > >
> > > > I am not sure it this is the right mailing list for my
> > > > question,
> > > > please
> > > > feel free to tell me the right one ;-)
> > > >
> > >
> > > I added these extra validation checks in the ubuntu-keyring
> > > package
> > > to
> > > make sure that signing keys are not modified by accident, and to
> > > make
> > > sure that checksums are signed by semi known-to-be-good keys.
> > >
> > > To bypass these checks comment out commands under the
> > > "checkkeyrings:" target.
> > >
> > > NB! Do make sure you ship your key as a key fragment in
> > > /etc/apt/trusted.gpg.d/ as apt-key is no longer called, and from
> > > yakkety and up signing keys must be shipped as individually
> > > exported
> > > keys in /etc/apt/trusted.gpg.d directory.
> > >
> > > Ideally d-i would support key fragments just like installed
> > > systems
> > > can, then one wouldn't need to rebuild ubuntu-keyring at all.
> >
> > This brings me one step further.
> >
> > Now i can build the ubuntu-keyring packages. But the installation
> > fails
> > i copy the results to cd:
> >
> > cp ./ubuntu-keyring_2016.09.19_all.deb cd/pool/main/u/ubuntu-
> > keyring/ubuntu-keyring_2016.09.19_all.deb
> > cp ./ubuntu-keyring-udeb_2016.09.19_all.udeb cd/pool/main/u/ubuntu-
> > keyring/ubuntu-keyring-udeb_2016.09.19_all.udeb
>
> You must use higher version number.... e.g. use $ dch -i and use a
> sensible version number and describe your changes, e.g. use
> 2016.09.19+namexx1 for version number or similar.
>
I incremented the package version to +mytest001 and added my gpg public
key to /etc/apt/trusted.gpg.d/ in both packages (deb + udeb).
Then i copied the resulting file into cd/pool/main/u/ubuntu-keyring/
and removed the old files.
After the rebuild of the Packages and Release files and signing the
Release file and the problem still occurs:
apt configuration problem
An attempt to configure apt to install additional packages from CD
failed
There is no /etc/apt/trusted.gpg.d/ directory and therefore no file.
> Can you paste contents of your ubuntu-keyring_*_all.deb? e.g. output
> of $ dpkg-deb -c ubuntu-keyring_*_all.deb
>
Here is my contents of the .deb und .udeb package:
drwxr-xr-x root/root 0 2016-10-25 21:51 ./
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/
-rw-r--r-- root/root 1201 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
-rw-r--r-- root/root 3422 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg
-rw-r--r-- root/root 3147 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg
-rw-r--r-- root/root 2796 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- root/root 2794 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/doc/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/doc/ubuntu-keyring/
-rw-r--r-- root/root 157 2016-10-25 21:51 ./usr/share/doc/ubuntu-keyring/README.gz
-rw-r--r-- root/root 2163 2016-10-25 21:51 ./usr/share/doc/ubuntu-keyring/changelog.gz
-rw-r--r-- root/root 1242 2016-10-25 21:51 ./usr/share/doc/ubuntu-keyring/copyright
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/keyrings/
-rw-r--r-- root/root 13360 2016-10-25 21:51 ./usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- root/root 0 2016-10-25 21:51 ./usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- root/root 1227 2016-10-25 21:51 ./usr/share/keyrings/ubuntu-master-keyring.gpg
and
drwxr-xr-x root/root 0 2016-10-25 21:51 ./
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/
-rw-r--r-- root/root 1201 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/
drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/keyrings/
-rw-r--r-- root/root 13360 2016-10-25 21:51 ./usr/share/keyrings/ubuntu-archive-keyring.gpg
> >
> > apt_ftparchive -c config-rel release cd/dists/yakkety >
> > cd/dists/yakkety/Release
> > gpg --yes --no-default-keyring --keyring ./ubuntu-archive-
> > keyring.gpg -a --default-key <mykey> --output
> > cd/dists/yakkety/Release.gpg --detach-sig cd/dists/yakkety/Release
> > cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*"
> > -follow -type f` > md5sum.txt; cd ..
> > genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4
> > -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat ./cd
> >
> > The cd installation will abort with
> >
> > apt configuration problem
> > An attempt to configure apt to install additional packages from CD
> > failed.
> >
> > The debug output on vt4 show me
> >
> > gpgv: Signature made Tue ....
> > gpgv: using RSA key
> > gpgv: Can't check signature: No public key
> > .
> > .
> > apt-setup: W: Signature verification failed for
> > /media/cdrom/diss/yakkety/Release.gpg
> >
> > I verified the install ubuntu-archive-keyring.gpg on my build host
> > with
> >
> > gpgv --keyring ./ubuntu-archive-keyring.gpg
> > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
>
> ubuntu-archive-keyring.gpg file is not used by apt, on installed
> systems, in yakkety and up.
>
> gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg
> cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
>
> must work, and for that you must ship
> /etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring .deb
> package.
>
> >
> > gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST
> > gpgv: using RSA key
> > gpgv: Good signature from "Signing Key Namexx <xxx at yyy.com>"
> >
> > So it looks good for me. Any idea?
> >
More information about the Ubuntu-devel-discuss
mailing list