On 25 October 2016 at 12:00, Stefani Seibold <stef...@seibold.net> wrote: > Hi, > > i want modify an existing ubuntu 16.10 iso image to provide a new > kernel for a server device which is currently in development and yet > not on the market. > > I trying to build a new ubuntu-keyring.deb to sign my modified packages > in the ISO Image. I followed the instructions provided by Ubuntu (http > s://help.ubuntu.com/community/InstallCDCustomization), but without > success. > > When i follow the instructions in the chapter "Generating a new ubuntu- > keyring .deb to sign your CD" i get a lot off errors: > > dpkg-buildpackage -rfakeroot -m"Myname <myn...@myhost.net>" > -k7F6D4417D881EFC3E7FA02E636F2F7B4F8A2CAC9 > dpkg-buildpackage: info: source package ubuntu-keyring > dpkg-buildpackage: info: source version 2016.09.19 > dpkg-buildpackage: info: source distribution yakkety > dpkg-buildpackage: info: host architecture amd64 > dpkg-source --before-build ubuntu-keyring-2016.09.19 > fakeroot debian/rules clean > test -f keyrings/ubuntu-archive-keyring.gpg > rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars > rm -rf debian/tmp debian/ubuntu-keyring-udeb > dpkg-source -b ubuntu-keyring-2016.09.19 > dpkg-source: warning: no source format specified in debian/source/format, see > dpkg-source(1) > dpkg-source: info: using source format '1.0' > dpkg-source: info: building ubuntu-keyring in ubuntu-keyring_2016.09.19.tar.gz > dpkg-source: info: building ubuntu-keyring in ubuntu-keyring_2016.09.19.dsc > debian/rules build > make: Nothing to be done for 'build'. > fakeroot debian/rules binary > test -f keyrings/ubuntu-archive-keyring.gpg > test root = "`whoami`" > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg > --decrypt SHA512SUMS.txt.asc | sha512sum -c - > gpg: Signature made Mon Sep 19 19:22:17 2016 CEST > gpg: using RSA key CAC2D8B9CD2CA5F9 > keyrings/ubuntu-archive-keyring.gpg: OK > keyrings/ubuntu-archive-removed-keys.gpg: OK > keyrings/ubuntu-keyring-2004-archive.gpg: OK > keyrings/ubuntu-keyring-2004-cdimage.gpg: OK > keyrings/ubuntu-keyring-2012-archive.gpg: OK > keyrings/ubuntu-keyring-2012-cdimage.gpg: OK > keyrings/ubuntu-master-keyring.gpg: OK > gpg: BAD signature from "Dimitri John Ledkov <x...@ubuntu.com>" [unknown] > gpg --no-default-keyring --keyring /usr/share/keyrings/debian-keyring.gpg > --decrypt md5sums.txt | md5sum -c - > gpg: Signature made Sat May 19 03:30:13 2012 CEST > gpg: using RSA key 393587D97D86500B > keyrings/ubuntu-archive-keyring.gpg: FAILED > gpg: Good signature from "Colin Watson <cjwat...@chiark.greenend.org.uk>" > [unknown] > gpg: aka "Colin Watson <cjwat...@debian.org>" [unknown] > gpg: aka "Colin Watson <cjwat...@ubuntu.com>" [unknown] > gpg: aka "Colin Watson <cjwat...@canonical.com>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: AC0A 4FF1 2611 B6FC CF01 C111 3935 87D9 7D86 500B > md5sum: WARNING: 1 computed checksum did NOT match > debian/rules:92: recipe for target 'checkkeyrings' failed > make: *** [checkkeyrings] Error 1 > dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status > 2 > > Any idea? Is there a instruction manual or a how to which gives me > detailed instructions how i can modify an existing iso image? > > I am not sure it this is the right mailing list for my question, please > feel free to tell me the right one ;-) >
I added these extra validation checks in the ubuntu-keyring package to make sure that signing keys are not modified by accident, and to make sure that checksums are signed by semi known-to-be-good keys. To bypass these checks comment out commands under the "checkkeyrings:" target. NB! Do make sure you ship your key as a key fragment in /etc/apt/trusted.gpg.d/ as apt-key is no longer called, and from yakkety and up signing keys must be shipped as individually exported keys in /etc/apt/trusted.gpg.d directory. Ideally d-i would support key fragments just like installed systems can, then one wouldn't need to rebuild ubuntu-keyring at all. -- Regards, Dimitri. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
