Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

Answer from Ancoron on Stack Overflow
Top answer
1 of 6
32

Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

2 of 6
20

This seems to be the way to go with the current version:

https://unix.stackexchange.com/a/649484/301245

There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes. Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
# end of Certificates for signature checking
Discussions

Linux kernel building failed on Ubuntu
Change CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" to CONFIG_SYSTEM_TRUSTED_KEYS="" or create your own certificate and change the path to reflect. More on reddit.com
🌐 r/linuxquestions
5
5
November 20, 2021
Need someone confirmation for the changes I did
When I tried to run make oldconfig or make all recieve below error: make[1]: More on forum.linuxfoundation.org
🌐 forum.linuxfoundation.org
January 25, 2022
debian - Attempting to compile kernel yields a certification error - Unix & Linux Stack Exchange
I'm currently attempting to follow Hardening Debian for the Desktop Using Grsecurity guide in order to install the 4.5.7 kernel with Grsecurity on my Kali Linux desktop. I am following that list of More on unix.stackexchange.com
🌐 unix.stackexchange.com
July 3, 2016
Linux kernel build error: No rule to make target 'debian/canonical-certs.pem' - Stack Overflow
I have compiled the Linux kernel many times, and I always find that it needs a certificate. In my build process, I always encountered "No rule to make target 'debian/canonical-certs.pem" ... More on stackoverflow.com
🌐 stackoverflow.com
🌐
Linux.org
linux.org › home › forums › general linux forums › general linux questions
Kernel Compilation Issue on Ubuntu 24.04: Missing Rule for 'debian/canonical-certs.pem' | Linux.org
October 27, 2024 - root@lab-A78F2P-M-V2-0:/usr/src/linux-6.12-rc4# make CALL scripts/checksyscalls.sh DESCEND objtool INSTALL libsubcmd_headers make[3]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
🌐
Reddit
reddit.com › r/linuxquestions › linux kernel building failed on ubuntu
r/linuxquestions on Reddit: Linux kernel building failed on Ubuntu
November 20, 2021 -

Hi !

I tried to build the linux kernel Linux by typing this command :

make -j$(nproc) deb-pkg LOCALVERSION=-custom

but I got this error :

make[2]: *** [debian/rules:7 : build-arch] Erreur 2
dpkg-buildpackage: erreur: debian/rules binary subprocess returned exit status 2

I also got this message above :

make[4]: ***  No rule to make target « debian/canonical-certs.pem », needed by « certs/x509_certificate_list ». Stop.

Could somebody help me please ?

🌐
Linux Foundation Forums
forum.linuxfoundation.org › lfd103 class forum
Need someone confirmation for the changes I did — Linux Foundation Forums
January 25, 2022 - When I tried to run make oldconfig or make all recieve below error: make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
🌐
Stack Overflow
stackoverflow.com › questions › 79820461 › linux-kernel-build-error-no-rule-to-make-target-debian-canonical-certs-pem
Linux kernel build error: No rule to make target 'debian/canonical-certs.pem' - Stack Overflow
I have compiled the Linux kernel many times, and I always find that it needs a certificate. In my build process, I always encountered "No rule to make target 'debian/canonical-certs.pem" ...
Find elsewhere
🌐
Saverio Miroddi
saveriomiroddi.github.io › A-precise-guide-to-build-a-custom-linux-kernel
A precise guide to building a custom Linux kernel
October 9, 2022 - Without this change, the kernel compilation will raise an error like No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list.
🌐
GitHub
github.com › intel-gpu › kernel › issues › 3
[Ubuntu 20.04] Missing Canonical certs from stock kernel config file · Issue #3 · intel-gpu/kernel
March 19, 2021 - make[3]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
Author   intel-gpu
🌐
Linux.org
linux.org › forums › general linux forums › command line
compile kernel | Linux.org
February 7, 2020 - Hello there, Im trying to compile latest kernel 5.5.2. During "make" command, I have this error: make[1]: *** No rule to make target 'certs/rhel.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1693: certs] Error 2 I use CentOS 8 in a virtual machine. First time...
🌐
LinuxQuestions.org
linuxquestions.org › questions › linux-newbie-8 › having-trouble-with-installing-new-kernel-4175698296-print
LinuxQuestions.org - Having trouble with installing new kernel
LinuxQuestions.org (/questions/) · - Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/) · - - Having trouble with installing new kernel (https://www.linuxquestions.org/questions/linux-newbie-8/having-trouble-with-installing-new-kernel-4175698296/)
🌐
Toradex Community
community.toradex.com › technical support
Kernel modules recompilation issue - Technical Support - Toradex Community
October 18, 2021 - Hello, I’ve just did a git pull ... make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'....
🌐
HatchJS
hatchjs.com › home › no rule to make target ‘debian/canonical-revoked-certs.pem’: how to fix
No rule to make target 'debian/canonical-revoked-certs.pem': How to fix
January 5, 2024 - If you are getting the error message no rule to make target 'debian/canonical-revoked-certs.pem', it means that there is no rule in your makefile to create the file debian/canonical-revoked-certs.pem.
🌐
Reddit
reddit.com › r/kernel › guidance to compile the linux kernel
r/kernel on Reddit: Guidance to compile the linux kernel
February 9, 2025 -

Hi,

I am trying to recompile the linux kernel and facing some issues can y'all help me out please?

My OS is the ubuntu 24.04 LTS. The kernel is the 5.19.8 from here.

When I run make I used to get the following issue:

CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2

I did as one of the user in thie stackoverflow post said

scripts/config --disable SYSTEM_TRUSTED_KEYS
scripts/config --disable SYSTEM_REVOCATION_KEYS

Now I get the and then when I run make I get the following issue, this I am not sure how I should go about solving it

make[1]: *** No rule to make target 'y', needed by 'certs/x509_certificate_list'. Stop.

make: *** [Makefile:1847: certs] Error 2

🌐
Lmu
bjohnson.lmu.build › cmsi3510web › osproject.html
CMSI 3510: Operating Systems Project Page
Commented the line: CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" replaced it with: CONFIG_SYSTEM_TRUSTED_KEYS="" 22. restarted build, got a little further, then error: no rule to make target 'debian/canonical-revoked-certs.pem'...... did the same thing with commenting out and changing the .config file the line: CONFIG_SYSTEM_REVOKATION_KEYS="debian/canonical-revoked-certs.pem" replaced it with: CONFIG_SYSTEM_REVOKATION_KEYS="" 23.
🌐
Snapcraft
forum.snapcraft.io › t › snapcraft-build-snap-kernel-fails-with-certificate-error › 33840
Snapcraft build snap kernel fails with certificate error - snapcraft - snapcraft.io
February 9, 2023 - I also used the Ubuntu focal snapcraft.yaml wih some changes, such as grade, sources… The build fails with : make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'.
🌐
GitHub
gist.github.com › awesomebytes › 8f9158c32a24930c16db6c529f7c2a50
building_rt_preempt.md · GitHub
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'. Stop. # Get the necessary certs and put them where they belong sudo mkdir -p /usr/local/src/debian sudo apt install linux-source ...