On 26 October 2016 at 08:40, Stefani Seibold <stef...@seibold.net> wrote: > Am Dienstag, den 25.10.2016, 22:40 +0100 schrieb Dimitri John Ledkov: >> > > Can you paste contents of your ubuntu-keyring_*_all.deb? e.g. >> > > output >> > > of $ dpkg-deb -c ubuntu-keyring_*_all.deb >> > > >> > >> > Here is my contents of the .deb und .udeb package: >> > >> >> this is good. >> >> > >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ >> > -rw-r--r-- root/root 1201 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg >> > -rw-r--r-- root/root 3422 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg >> > -rw-r--r-- root/root 3147 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg >> > -rw-r--r-- root/root 2796 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg >> > -rw-r--r-- root/root 2794 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/doc/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 >> > ./usr/share/doc/ubuntu-keyring/ >> > -rw-r--r-- root/root 157 2016-10-25 21:51 >> > ./usr/share/doc/ubuntu-keyring/README.gz >> > -rw-r--r-- root/root 2163 2016-10-25 21:51 >> > ./usr/share/doc/ubuntu-keyring/changelog.gz >> > -rw-r--r-- root/root 1242 2016-10-25 21:51 >> > ./usr/share/doc/ubuntu-keyring/copyright >> > drwxr-xr-x root/root 0 2016-10-25 21:51 >> > ./usr/share/keyrings/ >> > -rw-r--r-- root/root 13360 2016-10-25 21:51 >> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg >> > -rw-r--r-- root/root 0 2016-10-25 21:51 >> > ./usr/share/keyrings/ubuntu-archive-removed-keys.gpg >> > -rw-r--r-- root/root 1227 2016-10-25 21:51 >> > ./usr/share/keyrings/ubuntu-master-keyring.gpg >> > >> > and >> > >> >> this is not. >> >> > >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/ >> > -rw-r--r-- root/root 1201 2016-10-25 21:51 >> > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/ >> > drwxr-xr-x root/root 0 2016-10-25 21:51 >> > ./usr/share/keyrings/ >> > -rw-r--r-- root/root 13360 2016-10-25 21:51 >> > ./usr/share/keyrings/ubuntu-archive-keyring.gpg >> > >> >> so for udeb case, i believe "mytest-keyring-2016-test.gpg" keys >> should >> be inside the ubuntu-archive-kerying.gpg but only in the .udeb. >> >> So for sake of simplicity, i guess you have to do both: >> 1) import your key into /usr/share/keyrings/ubuntu-archive- >> keyring.gpg >> 2) ship your key as a key fragment in the /etc/apt/trusted.gpg.d/ >> (already done above) >> >> I guess I really should look into fixing d-i to use trusted.gpg.d >> just >> like the installed systems to avoid all the confusing. Because it >> really is a nightmare now in yakkety. I'm so sorry, that I did not >> test / thought of ISO customizations when migrating ubuntu to the key >> fragments. >> >> Regards, >> >> Dimitri. >> >> >> > >> > > >> > > > >> > > > >> > > > apt_ftparchive -c config-rel release cd/dists/yakkety > >> > > > cd/dists/yakkety/Release >> > > > gpg --yes --no-default-keyring --keyring ./ubuntu-archive- >> > > > keyring.gpg -a --default-key <mykey> --output >> > > > cd/dists/yakkety/Release.gpg --detach-sig >> > > > cd/dists/yakkety/Release >> > > > cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*" >> > > > -follow -type f` > md5sum.txt; cd .. >> > > > genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4 >> > > > -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat >> > > > ./cd >> > > > >> > > > The cd installation will abort with >> > > > >> > > > apt configuration problem >> > > > An attempt to configure apt to install additional packages from >> > > > CD >> > > > failed. >> > > > >> > > > The debug output on vt4 show me >> > > > >> > > > gpgv: Signature made Tue .... >> > > > gpgv: using RSA key >> > > > gpgv: Can't check signature: No public key >> > > > . >> > > > . >> > > > apt-setup: W: Signature verification failed for >> > > > /media/cdrom/diss/yakkety/Release.gpg >> > > > >> > > > I verified the install ubuntu-archive-keyring.gpg on my build >> > > > host >> > > > with >> > > > >> > > > gpgv --keyring ./ubuntu-archive-keyring.gpg >> > > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release >> > > >> > > ubuntu-archive-keyring.gpg file is not used by apt, on installed >> > > systems, in yakkety and up. >> > > >> > > gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg >> > > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release >> > > >> > > must work, and for that you must ship >> > > /etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring >> > > .deb >> > > package. >> > > >> > > > >> > > > >> > > > gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST >> > > > gpgv: using RSA key >> > > > gpgv: Good signature from "Signing Key Namexx <x...@yyy.com>" >> > > > >> > > > So it looks good for me. Any idea? >> > > > >> > >> >> > > I modified the filesystem.squashfs and replace the ubuntu-archive- > keyring.gpg with my version and added > my /etc/apt/trusted.gpg.d/mykey.gpg. >
Yes, the ubuntu-keyring.deb needs to be updated in the squashfs. We didn't used to use squashfs on the server isos long time ago, but have started doing so for a while now. > This brings me a little step further since the key check is passed, but > the installation in unable to find a kernel. > > chroot /target apt-cache search linux > > doesn't show me a kernel. Other packages are still there :-( > Have you recompiled kernel and it has a new abi revision? Well, if you have a completely new kernel, you'd need to rebuild d-i, rebuild kernel udebs, ship udebs on disk, ship debs on disk. Do you have to use a server.iso? it's quite bit to modify like this. I would have simply rebuild d-i, with my own packages dropped as udebs, and use resulting netinstaller that comes out of that + additional repositories for the updated debs/udebs. -- Regards, Dimitri. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
