Are You Absolutely Certain That You Have The Real Source Code?

code-1486361_640

Why would you want to build a Linux kernel?

Maybe you realize that there’s a local root exploit possible on your kernel version. Maybe you want to take advantage of improved storage performance or extended network capability. Maybe you need a very specific kernel version to support a combination of your motherboard hardware plus network protocols or virtualization features. Maybe it’s just that you want to learn more about how the kernel works.

Whatever. The thing is, you have decided that you need to build a kernel.

penguin-

That is, the kernel, precisely the kernel provided by the Linux kernel organization. No one can risk using a kernel with a back door.

Accessing a website via HTTPS only verifies the identity of the server and encrypts the data transmission. HTTPS does not give you any guarantee that the site hasn’t been hacked and its data replaced.

Check the Digital Signature

This is fundamental cybersecurity from Learning Tree’s System and Network Security Introduction course. Source code for the kernel release x.y.z is available on the Linux kernel web site, in the xz-compressed archive file linux-x.y.z.tar.xz. Make sure to also get the associated signature file linux-x.y.z.tar.sign. Now you can uncompress the archive and verify the signature:

$ ls -l linux-*
-rw-rw-r-- 1 you you      819 Jun 15 17:13 linux-4.6.2.tar.sign
-rw-rw-r-- 1 you you 89472176 Jun 15 17:13 linux-4.6.2.tar.xz
$ unxz linux-4.6.2.tar.xz
$ ls -l linux-*
-rw-rw-r-- 1 you you 666265600 Jun 15 17:13 linux-4.6.2.tar
-rw-rw-r-- 1 you you       819 Jun 15 17:13 linux-4.6.2.tar.sign
$ gpg --verify linux-4.6.2.tar.sign linux-4.6.2.tar
gpg: Signature made Tue 07 Jun 2016 09:24:11 PM EDT using RSA key ID 6092693E
gpg: Good signature from "Greg Kroah-Hartman (Linux kernel stable release
signing key) "

But Where Is The Key?

You have to track down the Linux kernel project’s public key and verify that what you found is really their public key.

Unfortunately, there is no obvious process for getting a trustworthy copy of the kernel organization’s public key. There is no PKI.

The kernel.org site has some hand-waving about using a web of trust for PGP keys. Then they tell you to track down a kernel developer in person and sign each others’ keys.

That’s accompanied by a link to a Google map which absurdly tags a spot in the middle of the Atlantic Ocean as Cambridge, Massachusetts, one of the outer Aleutian Islands as Austin, Texas, and a spot in the White Sea off the Kola Peninsula as Oldenburg, Denmark.

Absurd Google map purporting to show Linux kernel developer locations.
Austin is an Aleutian Island, Cambridge is in the middle of the Atlantic Ocean, and Denmark is just off the coast of the Kola Peninsula!

The most help I can provide to you regarding the validity of the PGP signing key for the Linux kernel is that I’m convinced that it’s key ID 0x6092693E with a fingerprint of:

647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E

I’m convinced because that key has been used to sign the kernel source code for a number of years with no announcement of the site being hacked or the signing key being bogus.

Retrieve and Check the Key

You can import what claims to be a copy of the signing key from the MIT key server, and then check the fingerprint of what you got:

$ gpg --verbose --keyserver pgp.mit.edu --recv-keys 6092693e
[... output deleted ...]
$ gpg --list-keys --fingerprint 6092693e
pub   4096R/6092693E 2011-09-23
      Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
      uid      Greg Kroah-Hartman (Linux kernel stable release signing key) 
sub   4096R/76D54749 2011-09-23

If you’re willing to take my word for this, and trust Learning Tree’s blog site to not be hacked, then seeing that fingerprint (actually a SHA-1 hash) shown above should convince you that you have the real key.

Now It’s Safe To Build The Kernel

Now you’re ready to build a kernel. See Learning Tree’s Linux server administration course for an explanation of how to configure, build, and install a new kernel from source.

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.