Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

Answer from Ancoron on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 71567056 › no-rule-to-make-target-kernel-signing-key-pem-needed-by-certs-signing-key-x
linux - No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' - Stack Overflow
I ran make O=/home/stephen/build/kernel V=1 all according to the document, the working directory is /home/stephen/linux-5.17 then it threw an error: make[2]: *** No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509'. Stop.
Top answer
1 of 6
32

Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

2 of 6
20

This seems to be the way to go with the current version:

https://unix.stackexchange.com/a/649484/301245

There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes. Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
# end of Certificates for signature checking
Discussions

Need someone confirmation for the changes I did
When I tried to run make oldconfig or make all recieve below error: make[1]: More on forum.linuxfoundation.org
🌐 forum.linuxfoundation.org
January 25, 2022
[Bug 1201450] New: Cannot compile kernel, No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' - openSUSE Kernel Bugs - openSUSE Mailing Lists
http://bugzilla.opensuse.org/show_bug.cgi?id=1201450 Bug ID: 1201450 Summary: Cannot compile kernel, No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: ... More on lists.opensuse.org
🌐 lists.opensuse.org
September 11, 2022
debian - Attempting to compile kernel yields a certification error - Unix & Linux Stack Exchange
I'm currently attempting to follow Hardening Debian for the Desktop Using Grsecurity guide in order to install the 4.5.7 kernel with Grsecurity on my Kali Linux desktop. I am following that list of More on unix.stackexchange.com
🌐 unix.stackexchange.com
July 3, 2016
Guidance to compile the linux kernel
the answers are here and here More on reddit.com
🌐 r/kernel
3
4
February 9, 2025
🌐
Linux Foundation Forums
forum.linuxfoundation.org › lfd103 class forum
Need someone confirmation for the changes I did — Linux Foundation Forums
January 25, 2022 - When I tried to run make oldconfig or make all recieve below error: make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1809: certs] Error 2 · To resolve this I find an solution and followed one of the blog(https://askubuntu.com/questions/1329538/compiling-the-kernel-5-11-11) for help:-
🌐
Linux.org
linux.org › forums › general linux forums › command line
compile kernel | Linux.org
February 7, 2020 - Hello there, Im trying to compile latest kernel 5.5.2. During "make" command, I have this error: make[1]: *** No rule to make target 'certs/rhel.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1693: certs] Error 2 I use CentOS 8 in a virtual machine. First time...
🌐
openSUSE Mailing Lists
lists.opensuse.org › archives › list › kernel-bugs@lists.opensuse.org › thread › ZAZSA2LYKV2WNWUFXKVO6L4PSH25FXTM
[Bug 1201450] New: Cannot compile kernel, No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' - openSUSE Kernel Bugs - openSUSE Mailing Lists
September 11, 2022 - http://bugzilla.opensuse.org/show_bug.cgi?id=1201450 Bug ID: 1201450 Summary: Cannot compile kernel, No rule to make target '.kernel_signing_key.pem', needed by 'certs/signing_key.x509' Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: aaronw@doofus.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Every time I follow the instructions for README.SUSE I get the following error: make -j24 vmlinux modules GEN Makefile DESCEND o
🌐
Linux.org
linux.org › home › forums › general linux forums › general linux questions
Kernel Compilation Issue on Ubuntu 24.04: Missing Rule for 'debian/canonical-certs.pem' | Linux.org
October 27, 2024 - File name or PKCS#11 URI of module signing key (MODULE_SIG_KEY) [certs/signing_key.pem] (NEW) When it generates, it gives the same error. ... Hi everyone, I found a way to resolve an issue during the kernel compilation. I removed the CONFIG_SYSTEM_TRUSTED setting and also removed the module options (CONFIG_MODULES). During the compilation, I received the following message: SYNC include/config/auto.conf.cmd · Restart config... ... Click to expand... choice[1-2?]: 2 * Provide system-wide ring of trusted keys (SYSTEM_TRUSTED_KEYRING) [Y/?] (NEW) y ...
Find elsewhere
🌐
Google Groups
groups.google.com › g › fa.linux.kernel › c › h52Au9mcJwE
4.6 compilation error when making signing key
James Morris <jmo...@namei.org> wrote: > I'm seeing this with the 4.6 kernel build: > > CHK include/generated/compile.h > make[1]: *** No rule to make target `signing_key.pem', needed by > `certs/signing_key.x509'. Stop. > make: *** [certs] Error 2 Can I have a look at your .config just in case?
🌐
Reddit
reddit.com › r/kernel › guidance to compile the linux kernel
r/kernel on Reddit: Guidance to compile the linux kernel
February 9, 2025 -

Hi,

I am trying to recompile the linux kernel and facing some issues can y'all help me out please?

My OS is the ubuntu 24.04 LTS. The kernel is the 5.19.8 from here.

When I run make I used to get the following issue:

CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2

I did as one of the user in thie stackoverflow post said

scripts/config --disable SYSTEM_TRUSTED_KEYS
scripts/config --disable SYSTEM_REVOCATION_KEYS

Now I get the and then when I run make I get the following issue, this I am not sure how I should go about solving it

make[1]: *** No rule to make target 'y', needed by 'certs/x509_certificate_list'. Stop.

make: *** [Makefile:1847: certs] Error 2

🌐
GitHub
github.com › opencomputeproject › onie › issues › 999
make[2]: *** No rule to make target '/home/alexander/ONIE/onie/encryption/machines/kvm_x86_64/keys/ONIE/efi-keys/ONIE-shim-key-cert.pem', needed by 'certs/signing_key.x509'. Stop. · Issue #999 · opencomputeproject/onie
/ONIE/onie/build-config$ make MACHINE=kvm_x86_64 all recovery.iso ==== Building cross linux ==== make[1]: Entering directory '/home/alexander/ONIE/onie/build/kvm_x86_64-r0/kernel/linux-5.4.86' CALL scripts/checksyscalls.sh CALL scripts/atomic/check-atomics.sh DESCEND objtool CHK include/generated/compile.h make[2]: *** No rule to make target '/home/alexander/ONIE/onie/encryption/machines/kvm_x86_64/keys/ONIE/efi-keys/ONIE-shim-key-cert.pem', needed by 'certs/signing_key.x509'.
Author   opencomputeproject
🌐
CodeGenes
codegenes.net › blog › compiling-kernel-gives-error-no-rule-to-make-target-debian-certs-debian-uefi-certs-pem
Compiling Linux Kernel Error: No rule to make target 'debian/certs/debian-uefi-certs.pem' – How to Fix It
This error occurs when the kernel build system cannot find the debian-uefi-certs.pem certificate file, which is required for UEFI Secure Boot and trusted key verification—features often enabled in Debian-modified kernel sources.
🌐
openSUSE Forums
forums.opensuse.org › english › install/boot/login
Kernel Update - Install/Boot/Login - openSUSE Forums
April 30, 2022 - I updated the kernel to linux-5.3.18-150300.59.63. If I run: make oldconfig make I get a a compiler the following error ‘.kernel_signing_key.pem’, needed by ‘certs/signing_key.x509’. After changing the .config file to CONFIG_MODULE_SIG_KEY=“certs/signing_key.pem” the kernel compiles without any errors.
🌐
Gentoo Forums
forums.gentoo.org › viewtopic-p-8811302.html
Gentoo Forums :: View topic - [SOLVED] Dist Kernel fails to build with own signing key
December 26, 2023 - FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register · Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org
🌐
Reddit
reddit.com › r/linuxquestions › linux kernel building failed on ubuntu
r/linuxquestions on Reddit: Linux kernel building failed on Ubuntu
November 20, 2021 -

Hi !

I tried to build the linux kernel Linux by typing this command :

make -j$(nproc) deb-pkg LOCALVERSION=-custom

but I got this error :

make[2]: *** [debian/rules:7 : build-arch] Erreur 2
dpkg-buildpackage: erreur: debian/rules binary subprocess returned exit status 2

I also got this message above :

make[4]: ***  No rule to make target « debian/canonical-certs.pem », needed by « certs/x509_certificate_list ». Stop.

Could somebody help me please ?

🌐
LinuxQuestions.org
linuxquestions.org › questions › linux-newbie-8 › having-trouble-with-installing-new-kernel-4175698296-print
LinuxQuestions.org - Having trouble with installing new kernel
LinuxQuestions.org (/questions/) · - Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/) · - - Having trouble with installing new kernel (https://www.linuxquestions.org/questions/linux-newbie-8/having-trouble-with-installing-new-kernel-4175698296/)
🌐
Bytearray
bytearray.pub › archives › 1524707.html
Compiling kernel gives error No rule to make target debian certs debian uefi certs pem
CC kernel/jump_label.o CC kernel/iomem.o CC kernel/rseq.o AR kernel/built-in.a CC certs/system_keyring.o make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1851: certs] Error 2 · This seems to be the way to go with the current version: ... There are many, many config flags now, and the signing system must stay operational for the build to work.
🌐
GitHub
gist.github.com › awesomebytes › 8f9158c32a24930c16db6c529f7c2a50
building_rt_preempt.md · GitHub
# Get the necessary certs and put them where they belong sudo mkdir -p /usr/local/src/debian sudo apt install linux-source sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/ sudo apt purge linux-source* ... # # ...