Generating a new ubuntu-keyring .deb to sign ISO CD

Stefani Seibold stefani at seibold.net
Wed Oct 26 07:40:39 UTC 2016 

Am Dienstag, den 25.10.2016, 22:40 +0100 schrieb Dimitri John Ledkov:
> > > Can you paste contents of your ubuntu-keyring_*_all.deb? e.g.
> > > output
> > > of $ dpkg-deb -c ubuntu-keyring_*_all.deb
> > > 
> > 
> > Here is my contents of the .deb und .udeb package:
> > 
> 
> this is good.
> 
> > 
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/apt/
> > drwxr-xr-x root/root         0 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/
> > -rw-r--r-- root/root      1201 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
> > -rw-r--r-- root/root      3422 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg
> > -rw-r--r-- root/root      3147 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg
> > -rw-r--r-- root/root      2796 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
> > -rw-r--r-- root/root      2794 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/doc/
> > drwxr-xr-x root/root         0 2016-10-25 21:51
> > ./usr/share/doc/ubuntu-keyring/
> > -rw-r--r-- root/root       157 2016-10-25 21:51
> > ./usr/share/doc/ubuntu-keyring/README.gz
> > -rw-r--r-- root/root      2163 2016-10-25 21:51
> > ./usr/share/doc/ubuntu-keyring/changelog.gz
> > -rw-r--r-- root/root      1242 2016-10-25 21:51
> > ./usr/share/doc/ubuntu-keyring/copyright
> > drwxr-xr-x root/root         0 2016-10-25 21:51
> > ./usr/share/keyrings/
> > -rw-r--r-- root/root     13360 2016-10-25 21:51
> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg
> > -rw-r--r-- root/root         0 2016-10-25 21:51
> > ./usr/share/keyrings/ubuntu-archive-removed-keys.gpg
> > -rw-r--r-- root/root      1227 2016-10-25 21:51
> > ./usr/share/keyrings/ubuntu-master-keyring.gpg
> > 
> > and
> > 
> 
> this is not.
> 
> > 
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/apt/
> > drwxr-xr-x root/root         0 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/
> > -rw-r--r-- root/root      1201 2016-10-25 21:51
> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/
> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/
> > drwxr-xr-x root/root         0 2016-10-25 21:51
> > ./usr/share/keyrings/
> > -rw-r--r-- root/root     13360 2016-10-25 21:51
> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg
> > 
> 
> so for udeb case, i believe "mytest-keyring-2016-test.gpg" keys
> should
> be inside the ubuntu-archive-kerying.gpg but only in the .udeb.
> 
> So for sake of simplicity, i guess you have to do both:
> 1) import your key into /usr/share/keyrings/ubuntu-archive-
> keyring.gpg
> 2) ship your key as a key fragment in the /etc/apt/trusted.gpg.d/
> (already done above)
> 
> I guess I really should look into fixing d-i to use trusted.gpg.d
> just
> like the installed systems to avoid all the confusing. Because it
> really is a nightmare now in yakkety. I'm so sorry, that I did not
> test / thought of ISO customizations when migrating ubuntu to the key
> fragments.
> 
> Regards,
> 
> Dimitri.
> 
> 
> > 
> > > 
> > > > 
> > > > 
> > > > apt_ftparchive -c config-rel release cd/dists/yakkety >
> > > > cd/dists/yakkety/Release
> > > > gpg --yes --no-default-keyring --keyring ./ubuntu-archive-
> > > > keyring.gpg -a --default-key <mykey> --output
> > > > cd/dists/yakkety/Release.gpg --detach-sig
> > > > cd/dists/yakkety/Release
> > > > cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*"
> > > > -follow -type f` > md5sum.txt; cd ..
> > > > genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4
> > > > -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat
> > > > ./cd
> > > > 
> > > > The cd installation will abort with
> > > > 
> > > > apt configuration problem
> > > > An attempt to configure apt to install additional packages from
> > > > CD
> > > > failed.
> > > > 
> > > > The debug output on vt4 show me
> > > > 
> > > > gpgv: Signature made Tue ....
> > > > gpgv:  using RSA key
> > > > gpgv: Can't check signature: No public key
> > > >  .
> > > >  .
> > > > apt-setup: W: Signature verification failed for
> > > > /media/cdrom/diss/yakkety/Release.gpg
> > > > 
> > > > I verified the install ubuntu-archive-keyring.gpg on my build
> > > > host
> > > > with
> > > > 
> > > > gpgv --keyring ./ubuntu-archive-keyring.gpg
> > > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
> > > 
> > > ubuntu-archive-keyring.gpg file is not used by apt, on installed
> > > systems, in yakkety and up.
> > > 
> > > gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg
> > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
> > > 
> > > must work, and for that you must ship
> > > /etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring
> > > .deb
> > > package.
> > > 
> > > > 
> > > > 
> > > > gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST
> > > > gpgv:                using RSA key
> > > > gpgv: Good signature from "Signing Key Namexx <xxx at yyy.com>"
> > > > 
> > > > So it looks good for me. Any idea?
> > > > 
> > 
> 
> 

I modified the filesystem.squashfs and replace the ubuntu-archive-
keyring.gpg with my version and added
my /etc/apt/trusted.gpg.d/mykey.gpg.

This brings me a little step further since the key check is passed, but
the installation in unable to find a kernel.

chroot /target apt-cache search linux

doesn't show me a kernel. Other packages are still there :-(

More information about the Ubuntu-devel-discuss mailing list