Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

Answer from Ancoron on Stack Overflow
Top answer
1 of 6
32

Instead of removing the kernel signature checking, I've just configured it correctly:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem"
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem"
# end of Certificates for signature checking

To get there, I've just followed these steps:

sudo mkdir -p /usr/local/src/debian
sudo apt install linux-source
sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/
sudo apt purge linux-source*

...which:

  1. installs the Ubuntu Linux kernel sources
  2. copies the certificates into a dedicated non-package-managed directory
  3. removes any kernel sources package again

This process can be repeated whenever an update is required (e.g. new certificates).

2 of 6
20

This seems to be the way to go with the current version:

https://unix.stackexchange.com/a/649484/301245

There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes. Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this:

#
# Certificates for signature checking
#
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_SYSTEM_TRUSTED_KEYRING=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
CONFIG_SECONDARY_TRUSTED_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=""
CONFIG_SYSTEM_REVOCATION_LIST=y
CONFIG_SYSTEM_REVOCATION_KEYS=""
# end of Certificates for signature checking
🌐
Reddit
reddit.com › r/linuxquestions › linux kernel building failed on ubuntu
r/linuxquestions on Reddit: Linux kernel building failed on Ubuntu
November 20, 2021 -

Hi !

I tried to build the linux kernel Linux by typing this command :

make -j$(nproc) deb-pkg LOCALVERSION=-custom

but I got this error :

make[2]: *** [debian/rules:7 : build-arch] Erreur 2
dpkg-buildpackage: erreur: debian/rules binary subprocess returned exit status 2

I also got this message above :

make[4]: ***  No rule to make target « debian/canonical-certs.pem », needed by « certs/x509_certificate_list ». Stop.

Could somebody help me please ?

Discussions

Need someone confirmation for the changes I did
When I tried to run make oldconfig or make all recieve below error: make[1]: More on forum.linuxfoundation.org
🌐 forum.linuxfoundation.org
January 25, 2022
debian - Attempting to compile kernel yields a certification error - Unix & Linux Stack Exchange
I'm currently attempting to follow Hardening Debian for the Desktop Using Grsecurity guide in order to install the 4.5.7 kernel with Grsecurity on my Kali Linux desktop. I am following that list of More on unix.stackexchange.com
🌐 unix.stackexchange.com
July 3, 2016
[Ubuntu 20.04] Missing Canonical certs from stock kernel config file
Hello, Thanks for this project. The installation procedure are clear and worked pretty well. I want to report one small issue which arose when reusing the Ubuntu kernel's configuration. Context I h... More on github.com
🌐 github.com
0
March 19, 2021
Guidance to compile the linux kernel
the answers are here and here More on reddit.com
🌐 r/kernel
3
4
February 9, 2025
🌐
Linux.org
linux.org › home › forums › general linux forums › general linux questions
Kernel Compilation Issue on Ubuntu 24.04: Missing Rule for 'debian/canonical-certs.pem' | Linux.org
October 27, 2024 - root@lab-A78F2P-M-V2-0:/usr/src/linux-6.12-rc4# make CALL scripts/checksyscalls.sh DESCEND objtool INSTALL libsubcmd_headers make[3]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
🌐
Linux Foundation Forums
forum.linuxfoundation.org › lfd103 class forum
Need someone confirmation for the changes I did — Linux Foundation Forums
January 25, 2022 - When I tried to run make oldconfig or make all recieve below error: make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
🌐
Linux.org
linux.org › forums › general linux forums › command line
compile kernel | Linux.org
February 7, 2020 - Hello there, Im trying to compile latest kernel 5.5.2. During "make" command, I have this error: make[1]: *** No rule to make target 'certs/rhel.pem', needed by 'certs/x509_certificate_list'. Stop. make: *** [Makefile:1693: certs] Error 2 I use CentOS 8 in a virtual machine. First time...
🌐
GitHub
github.com › intel-gpu › kernel › issues › 3
[Ubuntu 20.04] Missing Canonical certs from stock kernel config file · Issue #3 · intel-gpu/kernel
March 19, 2021 - make[3]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'. Stop.
Author   intel-gpu
Find elsewhere
🌐
Reddit
reddit.com › r/kernel › guidance to compile the linux kernel
r/kernel on Reddit: Guidance to compile the linux kernel
February 9, 2025 -

Hi,

I am trying to recompile the linux kernel and facing some issues can y'all help me out please?

My OS is the ubuntu 24.04 LTS. The kernel is the 5.19.8 from here.

When I run make I used to get the following issue:

CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2CC      kernel/jump_label.o
CC      kernel/iomem.o
CC      kernel/rseq.o
AR      kernel/built-in.a
CC      certs/system_keyring.o
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'.  Stop.
make: *** [Makefile:1851: certs] Error 2

I did as one of the user in thie stackoverflow post said

scripts/config --disable SYSTEM_TRUSTED_KEYS
scripts/config --disable SYSTEM_REVOCATION_KEYS

Now I get the and then when I run make I get the following issue, this I am not sure how I should go about solving it

make[1]: *** No rule to make target 'y', needed by 'certs/x509_certificate_list'. Stop.

make: *** [Makefile:1847: certs] Error 2

🌐
Stack Overflow
stackoverflow.com › questions › 79820461 › linux-kernel-build-error-no-rule-to-make-target-debian-canonical-certs-pem
Linux kernel build error: No rule to make target 'debian/canonical-certs.pem' - Stack Overflow
I have compiled the Linux kernel many times, and I always find that it needs a certificate. In my build process, I always encountered "No rule to make target 'debian/canonical-certs.pem" ...
🌐
YouTube
youtube.com › watch
How to resolve error "No rule to make target 'debian/canonical-certs.pem'" - YouTube
gedit .config Then press Ctrl+F and search config_system_trust and comment the line above the keyring one and the line below the keyring lineIf this fix does...
Published   March 24, 2022
Top answer
1 of 6
32
Instead of removing the kernel signature checking, I've just configured it correctly: · # · # Certificates for signature checking · # · CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" · CONFIG_MODULE_SIG_KEY_TYPE_RSA=y · CONFIG_MODULE_SIG_KEY_TYPE_ECDSA=y · CONFIG_SYSTEM_TRUSTED_KEYRING=y · CONFIG_SYSTEM_TRUSTED_KEYS="/usr/local/src/debian/canonical-certs.pem" · CONFIG_SYSTEM_EXTRA_CERTIFICATE=y · CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 · CONFIG_SECONDARY_TRUSTED_KEYRING=y · CONFIG_SYSTEM_BLACKLIST_KEYRING=y · CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" · CONFIG_SYSTEM_REVOCATION_LIST=y · CONFIG_SYSTEM_REVOCATION_KEYS="/usr/local/src/debian/canonical-revoked-certs.pem" · # end of Certificates for signature checking · To get there, I've just followed these steps: · sudo mkdir -p /usr/local/src/debian · sudo apt install linux-source · sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/ · sudo apt purge linux-source* · ...which: · installs the Ubuntu Linux kernel sources · copies the certificates into a dedicated non-package-managed directory · removes any kernel sources package again · This process can be repeated whenever an update is required (e.g. new certificates).
2 of 6
20
This seems to be the way to go with the current version: · https://unix.stackexchange.com/a/649484/301245 · There are many, many config flags now, and the signing system must stay operational for the build to work. Easiest is to copy debian/ and debian.master/ into the source tree of the kernel to be built, then it works without additional changes. Well, almost: It can happen that references to key files still exist. The keys section in the .conf file should look like this: · # · # Certificates for signature checking · # · CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" · CONFIG_SYSTEM_TRUSTED_KEYRING=y · CONFIG_SYSTEM_TRUSTED_KEYS="" · CONFIG_SYSTEM_EXTRA_CERTIFICATE=y · CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 · CONFIG_SECONDARY_TRUSTED_KEYRING=y · CONFIG_SYSTEM_BLACKLIST_KEYRING=y · CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" · CONFIG_SYSTEM_REVOCATION_LIST=y · CONFIG_SYSTEM_REVOCATION_KEYS="" · # end of Certificates for signature checking
🌐
Toradex Community
community.toradex.com › technical support
Kernel modules recompilation issue - Technical Support - Toradex Community
October 18, 2021 - Hello, I’ve just did a git pull ... make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'....
🌐
Snapcraft
forum.snapcraft.io › t › snapcraft-build-snap-kernel-fails-with-certificate-error › 33840
Snapcraft build snap kernel fails with certificate error - snapcraft - snapcraft.io
February 9, 2023 - I also used the Ubuntu focal snapcraft.yaml wih some changes, such as grade, sources… The build fails with : make[1]: *** No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list'.
🌐
LinuxQuestions.org
linuxquestions.org › questions › linux-newbie-8 › having-trouble-with-installing-new-kernel-4175698296-print
LinuxQuestions.org - Having trouble with installing new kernel
LinuxQuestions.org (/questions/) · - Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/) · - - Having trouble with installing new kernel (https://www.linuxquestions.org/questions/linux-newbie-8/having-trouble-with-installing-new-kernel-4175698296/)
🌐
GitHub
gist.github.com › awesomebytes › 8f9158c32a24930c16db6c529f7c2a50
building_rt_preempt.md · GitHub
make[1]: *** No rule to make target 'debian/certs/debian-uefi-certs.pem', needed by 'certs/x509_certificate_list'. Stop. # Get the necessary certs and put them where they belong sudo mkdir -p /usr/local/src/debian sudo apt install linux-source sudo cp -v /usr/src/linux-source-*/debian/canonical-*.pem /usr/local/src/debian/ sudo apt purge linux-source*
🌐
HatchJS
hatchjs.com › home › no rule to make target ‘debian/canonical-revoked-certs.pem’: how to fix
No rule to make target 'debian/canonical-revoked-certs.pem': How to fix
January 5, 2024 - If you are getting the error message no rule to make target 'debian/canonical-revoked-certs.pem', it means that there is no rule in your makefile to create the file debian/canonical-revoked-certs.pem.
🌐
Saverio Miroddi
saveriomiroddi.github.io › A-precise-guide-to-build-a-custom-linux-kernel
A precise guide to building a custom Linux kernel
October 9, 2022 - The first is necessary on Ubuntu/Debian configurations; we must specify not to bake extra trusted X.509 keys into the kernel (used to verify kernel modules; see here): scripts/config --set-str SYSTEM_TRUSTED_KEYS "" scripts/config --set-str SYSTEM_REVOCATION_KEYS "" Without this change, the kernel compilation will raise an error like No rule to make target 'debian/canonical-certs.pem', needed by 'certs/x509_certificate_list.