Why would you want to build a Linux kernel?
Maybe you realize that there’s a local root exploit possible on your kernel version. Maybe you want to take advantage of improved storage performance or extended network capability. Maybe you need a very specific kernel version to support a combination of your motherboard hardware plus network protocols or virtualization features. Maybe it’s just that you want to learn more about how the kernel works.
Whatever. The thing is, you have decided that you need to build a kernel.
That is, the kernel, precisely the kernel provided by the Linux kernel organization. No one can risk using a kernel with a back door.
Accessing a website via HTTPS only verifies the identity of the server and encrypts the data transmission. HTTPS does not give you any guarantee that the site hasn’t been hacked and its data replaced.
This is fundamental cybersecurity from Learning Tree’s System and Network Security Introduction course. Source code for the kernel release x.y.z is available on the Linux kernel web site, in the xz-compressed archive file
linux-x.y.z.tar.xz. Make sure to also get the associated signature file
linux-x.y.z.tar.sign. Now you can uncompress the archive and verify the signature:
$ ls -l linux-* -rw-rw-r-- 1 you you 819 Jun 15 17:13 linux-4.6.2.tar.sign -rw-rw-r-- 1 you you 89472176 Jun 15 17:13 linux-4.6.2.tar.xz $ unxz linux-4.6.2.tar.xz $ ls -l linux-* -rw-rw-r-- 1 you you 666265600 Jun 15 17:13 linux-4.6.2.tar -rw-rw-r-- 1 you you 819 Jun 15 17:13 linux-4.6.2.tar.sign $ gpg --verify linux-4.6.2.tar.sign linux-4.6.2.tar gpg: Signature made Tue 07 Jun 2016 09:24:11 PM EDT using RSA key ID 6092693E gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release signing key) "
You have to track down the Linux kernel project’s public key and verify that what you found is really their public key.
Unfortunately, there is no obvious process for getting a trustworthy copy of the kernel organization’s public key. There is no PKI.
The kernel.org site has some hand-waving about using a web of trust for PGP keys. Then they tell you to track down a kernel developer in person and sign each others’ keys.
That’s accompanied by a link to a Google map which absurdly tags a spot in the middle of the Atlantic Ocean as Cambridge, Massachusetts, one of the outer Aleutian Islands as Austin, Texas, and a spot in the White Sea off the Kola Peninsula as Oldenburg, Denmark.
The most help I can provide to you regarding the validity of the PGP signing key for the Linux kernel is that I’m convinced that it’s key ID 0x6092693E with a fingerprint of:
647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
I’m convinced because that key has been used to sign the kernel source code for a number of years with no announcement of the site being hacked or the signing key being bogus.
You can import what claims to be a copy of the signing key from the MIT key server, and then check the fingerprint of what you got:
$ gpg --verbose --keyserver pgp.mit.edu --recv-keys 6092693e [... output deleted ...] $ gpg --list-keys --fingerprint 6092693e pub 4096R/6092693E 2011-09-23 Key fingerprint = 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E uid Greg Kroah-Hartman (Linux kernel stable release signing key) sub 4096R/76D54749 2011-09-23
If you’re willing to take my word for this, and trust Learning Tree’s blog site to not be hacked, then seeing that fingerprint (actually a SHA-1 hash) shown above should convince you that you have the real key.
Now you’re ready to build a kernel. See Learning Tree’s Linux server administration course for an explanation of how to configure, build, and install a new kernel from source.