Generating a new ubuntu-keyring .deb to sign ISO CD

Dimitri John Ledkov xnox at ubuntu.com
Wed Oct 26 09:48:01 UTC 2016 

On 26 October 2016 at 08:40, Stefani Seibold <stefani at seibold.net> wrote:
> Am Dienstag, den 25.10.2016, 22:40 +0100 schrieb Dimitri John Ledkov:
>> > > Can you paste contents of your ubuntu-keyring_*_all.deb? e.g.
>> > > output
>> > > of $ dpkg-deb -c ubuntu-keyring_*_all.deb
>> > >
>> >
>> > Here is my contents of the .deb und .udeb package:
>> >
>>
>> this is good.
>>
>> >
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/apt/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/
>> > -rw-r--r-- root/root      1201 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
>> > -rw-r--r-- root/root      3422 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg
>> > -rw-r--r-- root/root      3147 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg
>> > -rw-r--r-- root/root      2796 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
>> > -rw-r--r-- root/root      2794 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/doc/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51
>> > ./usr/share/doc/ubuntu-keyring/
>> > -rw-r--r-- root/root       157 2016-10-25 21:51
>> > ./usr/share/doc/ubuntu-keyring/README.gz
>> > -rw-r--r-- root/root      2163 2016-10-25 21:51
>> > ./usr/share/doc/ubuntu-keyring/changelog.gz
>> > -rw-r--r-- root/root      1242 2016-10-25 21:51
>> > ./usr/share/doc/ubuntu-keyring/copyright
>> > drwxr-xr-x root/root         0 2016-10-25 21:51
>> > ./usr/share/keyrings/
>> > -rw-r--r-- root/root     13360 2016-10-25 21:51
>> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg
>> > -rw-r--r-- root/root         0 2016-10-25 21:51
>> > ./usr/share/keyrings/ubuntu-archive-removed-keys.gpg
>> > -rw-r--r-- root/root      1227 2016-10-25 21:51
>> > ./usr/share/keyrings/ubuntu-master-keyring.gpg
>> >
>> > and
>> >
>>
>> this is not.
>>
>> >
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./etc/apt/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/
>> > -rw-r--r-- root/root      1201 2016-10-25 21:51
>> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51 ./usr/share/
>> > drwxr-xr-x root/root         0 2016-10-25 21:51
>> > ./usr/share/keyrings/
>> > -rw-r--r-- root/root     13360 2016-10-25 21:51
>> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg
>> >
>>
>> so for udeb case, i believe "mytest-keyring-2016-test.gpg" keys
>> should
>> be inside the ubuntu-archive-kerying.gpg but only in the .udeb.
>>
>> So for sake of simplicity, i guess you have to do both:
>> 1) import your key into /usr/share/keyrings/ubuntu-archive-
>> keyring.gpg
>> 2) ship your key as a key fragment in the /etc/apt/trusted.gpg.d/
>> (already done above)
>>
>> I guess I really should look into fixing d-i to use trusted.gpg.d
>> just
>> like the installed systems to avoid all the confusing. Because it
>> really is a nightmare now in yakkety. I'm so sorry, that I did not
>> test / thought of ISO customizations when migrating ubuntu to the key
>> fragments.
>>
>> Regards,
>>
>> Dimitri.
>>
>>
>> >
>> > >
>> > > >
>> > > >
>> > > > apt_ftparchive -c config-rel release cd/dists/yakkety >
>> > > > cd/dists/yakkety/Release
>> > > > gpg --yes --no-default-keyring --keyring ./ubuntu-archive-
>> > > > keyring.gpg -a --default-key <mykey> --output
>> > > > cd/dists/yakkety/Release.gpg --detach-sig
>> > > > cd/dists/yakkety/Release
>> > > > cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*"
>> > > > -follow -type f` > md5sum.txt; cd ..
>> > > > genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4
>> > > > -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat
>> > > > ./cd
>> > > >
>> > > > The cd installation will abort with
>> > > >
>> > > > apt configuration problem
>> > > > An attempt to configure apt to install additional packages from
>> > > > CD
>> > > > failed.
>> > > >
>> > > > The debug output on vt4 show me
>> > > >
>> > > > gpgv: Signature made Tue ....
>> > > > gpgv:  using RSA key
>> > > > gpgv: Can't check signature: No public key
>> > > >  .
>> > > >  .
>> > > > apt-setup: W: Signature verification failed for
>> > > > /media/cdrom/diss/yakkety/Release.gpg
>> > > >
>> > > > I verified the install ubuntu-archive-keyring.gpg on my build
>> > > > host
>> > > > with
>> > > >
>> > > > gpgv --keyring ./ubuntu-archive-keyring.gpg
>> > > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
>> > >
>> > > ubuntu-archive-keyring.gpg file is not used by apt, on installed
>> > > systems, in yakkety and up.
>> > >
>> > > gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg
>> > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release
>> > >
>> > > must work, and for that you must ship
>> > > /etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring
>> > > .deb
>> > > package.
>> > >
>> > > >
>> > > >
>> > > > gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST
>> > > > gpgv:                using RSA key
>> > > > gpgv: Good signature from "Signing Key Namexx <xxx at yyy.com>"
>> > > >
>> > > > So it looks good for me. Any idea?
>> > > >
>> >
>>
>>
>
> I modified the filesystem.squashfs and replace the ubuntu-archive-
> keyring.gpg with my version and added
> my /etc/apt/trusted.gpg.d/mykey.gpg.
>

Yes, the ubuntu-keyring.deb needs to be updated in the squashfs. We
didn't used to use squashfs on the server isos long time ago, but have
started doing so for a while now.

> This brings me a little step further since the key check is passed, but
> the installation in unable to find a kernel.
>
> chroot /target apt-cache search linux
>
> doesn't show me a kernel. Other packages are still there :-(
>

Have you recompiled kernel and it has a new abi revision?

Well, if you have a completely new kernel, you'd need to rebuild d-i,
rebuild kernel udebs, ship udebs on disk, ship debs on disk.

Do you have to use a server.iso? it's quite bit to modify like this. I
would have simply rebuild d-i, with my own packages dropped as udebs,
and use resulting netinstaller that comes out of that + additional
repositories for the updated debs/udebs.

-- 
Regards,

Dimitri.

More information about the Ubuntu-devel-discuss mailing list