On 25 October 2016 at 21:56, Stefani Seibold <stef...@seibold.net> wrote: > Am Dienstag, den 25.10.2016, 14:35 +0100 schrieb Dimitri John Ledkov: >> On 25 October 2016 at 14:15, Stefani Seibold <stef...@seibold.net> >> wrote: >> > >> > On 25 October 2016 at 12:00, Stefani Seibold <stef...@seibold.net> >> > > >> > > wrote: >> > > > >> > > > >> > > > Hi, >> > > > >> > > > i want modify an existing ubuntu 16.10 iso image to provide a >> > > > new >> > > > kernel for a server device which is currently in development >> > > > and >> > > > yet >> > > > not on the market. >> > > > >> > > > I trying to build a new ubuntu-keyring.deb to sign my modified >> > > > packages >> > > > in the ISO Image. I followed the instructions provided by >> > > > Ubuntu (http >> > > > s://help.ubuntu.com/community/InstallCDCustomization), but >> > > > without >> > > > success. >> > > > >> > > > When i follow the instructions in the chapter "Generating a new >> > > > ubuntu- >> > > > keyring .deb to sign your CD" i get a lot off errors: >> > > > >> > > > dpkg-buildpackage -rfakeroot -m"Myname <myn...@myhost.net>" >> > > > -k7F6D4417D881EFC3E7FA02E636F2F7B4F8A2CAC9 >> > > > dpkg-buildpackage: info: source package ubuntu-keyring >> > > > dpkg-buildpackage: info: source version 2016.09.19 >> > > > dpkg-buildpackage: info: source distribution yakkety >> > > > dpkg-buildpackage: info: host architecture amd64 >> > > > dpkg-source --before-build ubuntu-keyring-2016.09.19 >> > > > fakeroot debian/rules clean >> > > > test -f keyrings/ubuntu-archive-keyring.gpg >> > > > rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars >> > > > rm -rf debian/tmp debian/ubuntu-keyring-udeb >> > > > dpkg-source -b ubuntu-keyring-2016.09.19 >> > > > dpkg-source: warning: no source format specified in >> > > > debian/source/format, see dpkg-source(1) >> > > > dpkg-source: info: using source format '1.0' >> > > > dpkg-source: info: building ubuntu-keyring in ubuntu- >> > > > keyring_2016.09.19.tar.gz >> > > > dpkg-source: info: building ubuntu-keyring in ubuntu- >> > > > keyring_2016.09.19.dsc >> > > > debian/rules build >> > > > make: Nothing to be done for 'build'. >> > > > fakeroot debian/rules binary >> > > > test -f keyrings/ubuntu-archive-keyring.gpg >> > > > test root = "`whoami`" >> > > > gpg --no-default-keyring --keyring /usr/share/keyrings/debian- >> > > > keyring.gpg --decrypt SHA512SUMS.txt.asc | sha512sum -c - >> > > > gpg: Signature made Mon Sep 19 19:22:17 2016 CEST >> > > > gpg: using RSA key CAC2D8B9CD2CA5F9 >> > > > keyrings/ubuntu-archive-keyring.gpg: OK >> > > > keyrings/ubuntu-archive-removed-keys.gpg: OK >> > > > keyrings/ubuntu-keyring-2004-archive.gpg: OK >> > > > keyrings/ubuntu-keyring-2004-cdimage.gpg: OK >> > > > keyrings/ubuntu-keyring-2012-archive.gpg: OK >> > > > keyrings/ubuntu-keyring-2012-cdimage.gpg: OK >> > > > keyrings/ubuntu-master-keyring.gpg: OK >> > > > gpg: BAD signature from "Dimitri John Ledkov <x...@ubuntu.com>" >> > > > [unknown] >> > > > gpg --no-default-keyring --keyring /usr/share/keyrings/debian- >> > > > keyring.gpg --decrypt md5sums.txt | md5sum -c - >> > > > gpg: Signature made Sat May 19 03:30:13 2012 CEST >> > > > gpg: using RSA key 393587D97D86500B >> > > > keyrings/ubuntu-archive-keyring.gpg: FAILED >> > > > gpg: Good signature from "Colin Watson <cjwatson@chiark.greenen >> > > > d.or >> > > > g.uk>" [unknown] >> > > > gpg: aka "Colin Watson <cjwat...@debian.org>" >> > > > [unknown] >> > > > gpg: aka "Colin Watson <cjwat...@ubuntu.com>" >> > > > [unknown] >> > > > gpg: aka "Colin Watson <cjwat...@canonical.com> >> > > > " >> > > > [unknown] >> > > > gpg: WARNING: This key is not certified with a trusted >> > > > signature! >> > > > gpg: There is no indication that the signature belongs >> > > > to >> > > > the owner. >> > > > Primary key fingerprint: AC0A 4FF1 2611 B6FC CF01 C111 3935 >> > > > 87D9 >> > > > 7D86 500B >> > > > md5sum: WARNING: 1 computed checksum did NOT match >> > > > debian/rules:92: recipe for target 'checkkeyrings' failed >> > > > make: *** [checkkeyrings] Error 1 >> > > > dpkg-buildpackage: error: fakeroot debian/rules binary gave >> > > > error >> > > > exit status 2 >> > > > >> > > > Any idea? Is there a instruction manual or a how to which gives >> > > > me >> > > > detailed instructions how i can modify an existing iso image? >> > > > >> > > > I am not sure it this is the right mailing list for my >> > > > question, >> > > > please >> > > > feel free to tell me the right one ;-) >> > > > >> > > >> > > I added these extra validation checks in the ubuntu-keyring >> > > package >> > > to >> > > make sure that signing keys are not modified by accident, and to >> > > make >> > > sure that checksums are signed by semi known-to-be-good keys. >> > > >> > > To bypass these checks comment out commands under the >> > > "checkkeyrings:" target. >> > > >> > > NB! Do make sure you ship your key as a key fragment in >> > > /etc/apt/trusted.gpg.d/ as apt-key is no longer called, and from >> > > yakkety and up signing keys must be shipped as individually >> > > exported >> > > keys in /etc/apt/trusted.gpg.d directory. >> > > >> > > Ideally d-i would support key fragments just like installed >> > > systems >> > > can, then one wouldn't need to rebuild ubuntu-keyring at all. >> > >> > This brings me one step further. >> > >> > Now i can build the ubuntu-keyring packages. But the installation >> > fails >> > i copy the results to cd: >> > >> > cp ./ubuntu-keyring_2016.09.19_all.deb cd/pool/main/u/ubuntu- >> > keyring/ubuntu-keyring_2016.09.19_all.deb >> > cp ./ubuntu-keyring-udeb_2016.09.19_all.udeb cd/pool/main/u/ubuntu- >> > keyring/ubuntu-keyring-udeb_2016.09.19_all.udeb >> >> You must use higher version number.... e.g. use $ dch -i and use a >> sensible version number and describe your changes, e.g. use >> 2016.09.19+namexx1 for version number or similar. >> > > I incremented the package version to +mytest001 and added my gpg public > key to /etc/apt/trusted.gpg.d/ in both packages (deb + udeb). > > > Then i copied the resulting file into cd/pool/main/u/ubuntu-keyring/ > and removed the old files. > > After the rebuild of the Packages and Release files and signing the > Release file and the problem still occurs: > > apt configuration problem > An attempt to configure apt to install additional packages from CD > failed > > > There is no /etc/apt/trusted.gpg.d/ directory and therefore no file. > >> Can you paste contents of your ubuntu-keyring_*_all.deb? e.g. output >> of $ dpkg-deb -c ubuntu-keyring_*_all.deb >> > > Here is my contents of the .deb und .udeb package: >
this is good. > drwxr-xr-x root/root 0 2016-10-25 21:51 ./ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ > -rw-r--r-- root/root 1201 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg > -rw-r--r-- root/root 3422 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-archive.gpg > -rw-r--r-- root/root 3147 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2004-cdimage.gpg > -rw-r--r-- root/root 2796 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg > -rw-r--r-- root/root 2794 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/doc/ > drwxr-xr-x root/root 0 2016-10-25 21:51 > ./usr/share/doc/ubuntu-keyring/ > -rw-r--r-- root/root 157 2016-10-25 21:51 > ./usr/share/doc/ubuntu-keyring/README.gz > -rw-r--r-- root/root 2163 2016-10-25 21:51 > ./usr/share/doc/ubuntu-keyring/changelog.gz > -rw-r--r-- root/root 1242 2016-10-25 21:51 > ./usr/share/doc/ubuntu-keyring/copyright > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/keyrings/ > -rw-r--r-- root/root 13360 2016-10-25 21:51 > ./usr/share/keyrings/ubuntu-archive-keyring.gpg > -rw-r--r-- root/root 0 2016-10-25 21:51 > ./usr/share/keyrings/ubuntu-archive-removed-keys.gpg > -rw-r--r-- root/root 1227 2016-10-25 21:51 > ./usr/share/keyrings/ubuntu-master-keyring.gpg > > and > this is not. > drwxr-xr-x root/root 0 2016-10-25 21:51 ./ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./etc/apt/trusted.gpg.d/ > -rw-r--r-- root/root 1201 2016-10-25 21:51 > ./etc/apt/trusted.gpg.d/mytest-keyring-2016-test.gpg > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/ > drwxr-xr-x root/root 0 2016-10-25 21:51 ./usr/share/keyrings/ > -rw-r--r-- root/root 13360 2016-10-25 21:51 > ./usr/share/keyrings/ubuntu-archive-keyring.gpg > so for udeb case, i believe "mytest-keyring-2016-test.gpg" keys should be inside the ubuntu-archive-kerying.gpg but only in the .udeb. So for sake of simplicity, i guess you have to do both: 1) import your key into /usr/share/keyrings/ubuntu-archive-keyring.gpg 2) ship your key as a key fragment in the /etc/apt/trusted.gpg.d/ (already done above) I guess I really should look into fixing d-i to use trusted.gpg.d just like the installed systems to avoid all the confusing. Because it really is a nightmare now in yakkety. I'm so sorry, that I did not test / thought of ISO customizations when migrating ubuntu to the key fragments. Regards, Dimitri. >> > >> > apt_ftparchive -c config-rel release cd/dists/yakkety > >> > cd/dists/yakkety/Release >> > gpg --yes --no-default-keyring --keyring ./ubuntu-archive- >> > keyring.gpg -a --default-key <mykey> --output >> > cd/dists/yakkety/Release.gpg --detach-sig cd/dists/yakkety/Release >> > cd cd; md5sum `find ! -name "md5sum.txt" ! -path "./isolinux/*" >> > -follow -type f` > md5sum.txt; cd .. >> > genisoimage -o output.iso -r -J -no-emul-boot -boot-load-size 4 >> > -boot-info-table -b isolinux/isolinux.bin -c isolinux/boot.cat ./cd >> > >> > The cd installation will abort with >> > >> > apt configuration problem >> > An attempt to configure apt to install additional packages from CD >> > failed. >> > >> > The debug output on vt4 show me >> > >> > gpgv: Signature made Tue .... >> > gpgv: using RSA key >> > gpgv: Can't check signature: No public key >> > . >> > . >> > apt-setup: W: Signature verification failed for >> > /media/cdrom/diss/yakkety/Release.gpg >> > >> > I verified the install ubuntu-archive-keyring.gpg on my build host >> > with >> > >> > gpgv --keyring ./ubuntu-archive-keyring.gpg >> > cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release >> >> ubuntu-archive-keyring.gpg file is not used by apt, on installed >> systems, in yakkety and up. >> >> gpgv --keyring /etc/apt/trusted.gpg.d/your-key-name.gpg >> cd/dists/yakkety/Release.gpg cd/dists/yakkety/Release >> >> must work, and for that you must ship >> /etc/apt/trusted.gpg.d/your-key-name.gpg in the ubuntu-keyring .deb >> package. >> >> > >> > gpgv: Signature made Tue Oct 25 14:55:11 2016 CEST >> > gpgv: using RSA key >> > gpgv: Good signature from "Signing Key Namexx <x...@yyy.com>" >> > >> > So it looks good for me. Any idea? >> > > -- Regards, Dimitri. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
