Ubuntu
linux-signed package

Can't build linux-signed-5.15.0

Asked by ppa-verse

When I am trying to re-package linux kernel, it tries to download sha256 and fails:

```
user@linux: ~/linux-signed-5.15.0$ dpkg-buildpackage
dpkg-buildpackage: info: source package linux-signed
dpkg-buildpackage: info: source version 5.15.0-52.58
dpkg-buildpackage: info: source distribution jammy
dpkg-buildpackage: info: source changed by Stefan Bader <email address hidden>
dpkg-buildpackage: info: host architecture amd64
 dpkg-source --before-build .
dpkg-source: info: using options from linux-signed-5.15.0/debian/source/options: --diff-ignore --tar-ignore
 fakeroot debian/rules clean
sed <debian/control.stub >debian/control \
 -e "s/ABI/5.15.0-52/g" \
 -e "s/UNSIGNED_SRC_PACKAGE/linux/g" \
 -e "s/UNSIGNED_SRC_VERSION/5.15.0-52.58/g" \
 -e 's/SRCPKGNAME/linux-signed/g' \
 -e 's/HEADERS_COMMON/linux-headers-5.15.0-52/g' \
 -e 's/HEADERS_ARCH/linux-headers-5.15.0-52-generic/g'
rm -rf ./5.15.0-52.58 UNSIGNED SIGNED
rm -f debian/linux-image-*.install \
 debian/linux-image-*.preinst \
 debian/linux-image-*.prerm \
 debian/linux-image-*.postinst \
 debian/linux-image-*.postrm
rm -f debian/kernel-signed-image-*.install
dh clean
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
   dh_clean
dh_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
 dpkg-source -b .
dpkg-source: info: using options from linux-signed-5.15.0/debian/source/options: --diff-ignore --tar-ignore
dpkg-source: warning: native package version may not have a revision
dpkg-source: info: using source format '3.0 (native)'
dpkg-source: info: building linux-signed in linux-signed_5.15.0-52.58.tar.xz
dpkg-source: info: building linux-signed in linux-signed_5.15.0-52.58.dsc
 debian/rules build
dh build
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
   dh_update_autotools_config
   debian/rules override_dh_auto_build
make[1]: Entering directory '/home/user/linux-signed-5.15.0'
./download-signed "linux-headers-5.15.0-52-generic" "5.15.0-52.58" "linux"
Downloading http://archive.ubuntu.com/ubuntu/dists/jammy-updates/main/signed/linux-amd64/5.15.0-52.58/SHA256SUMS ... not found
download-signed: SHA256SUMS: not found
make[1]: *** [debian/rules:49: override_dh_auto_build] Error 1
make[1]: Leaving directory '/home/user/linux-signed-5.15.0'
make: *** [debian/rules:46: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
```

I've manually checked the URL and it is indeed invalid -- the `signed` dir is empty.

What's the correct URL to get the checksum for the kernel?

Also, will I even be able to build this package? I probably need some signing keys to sign it...

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu linux-signed Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

When I compare your output with the buildlog file of the equivalent package in the Ubuntu repositories, I see the following:

https://launchpad.net/ubuntu/+source/linux-signed/5.15.0-52.58
https://launchpad.net/~canonical-signing/+archive/ubuntu/primary/+build/24552072
https://launchpad.net/~canonical-signing/+archive/ubuntu/primary/+build/24552072/+files/buildlog_ubuntu-jammy-amd64.linux-signed_5.15.0-52.58_BUILDING.txt.gz

dh clean
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
   dh_clean
dh_clean: warning: Compatibility levels before 10 are deprecated (level 9 in use)
 debian/rules build
dh build
dh: warning: Compatibility levels before 10 are deprecated (level 9 in use)
   dh_update_autotools_config
   debian/rules override_dh_auto_build
make[1]: Entering directory '/<<PKGBUILDDIR>>'
./download-signed "linux-headers-5.15.0-52-generic" "5.15.0-52.58" "linux"
Downloading http://private-ppa.buildd/canonical-signing/primary/ubuntu/dists/jammy/main/signed/linux-amd64/5.15.0-52.58/SHA256SUMS ... found
Downloading http://private-ppa.buildd/canonical-signing/primary/ubuntu/dists/jammy/main/signed/linux-amd64/5.15.0-52.58/signed.tar.gz ... found

Apparently the build of the package happens with a different base directory on the repository server, which is not accessible from outside. I assume the missing SHA256SUMS file is not the problem and can be ignored, but the process probably won't work without the second file (signed.tar.gz).

And to your last question: Yes, for building the signed kernel packages you would need access to the signing keys. I do not know any details of the access rules, but I hope that they are very much restricted, such that nobody except a very small group of trusted canonical employees can access them.

Revision history for this message
ppa-verse (ppa-verse) said : 		#2

Thanks Manfred. So, I guess, my only option is to build an unsigned kernel?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

If you want, you can sign the kernel files with you own private key.
The question just is: What do you want to achieve with that?
Why do you create your own kernel at all?
What is wrong with the kernels provided by Ubuntu?

Revision history for this message
ppa-verse (ppa-verse) said : 		#4

I don't care about signing the kernel per se. I was just trying to make sure I get all the same patches and whatnot that are in the official kernel.

I am trying to make a very slimmed down version of the kernel for an embedded system. No wifi, bluetooth, and many other things I don't need.

If the unsigned kernel is the same (other than being signed), I will go ahead with that. I am actually trying to build it now.

Can you help with this problem?

Provide an answer of your own, or ask ppa-verse for more information if necessary.

To post a message you must log in.