I'm new to writing Linux modules (drivers) and digital signatures, so please correct me if any of my understanding is incorrect. When I run make modules_install on my module, I get the following error (veikk is the module name): At main.c:160: - SSL error:02001002:system library:fopen:No such file or directory: ../crypto/bio/bss_file.c:72 - SSL error:2006D080:BIO routines:BIO_new_file:no such file: ../crypto/bio/bss_file.c:79 sign-file: certs/signing_key.pem: No such file or directory I was looking up tutorials on signing modules, but I was very confused about how to distribute a signed module. There are tutorials for manually signing modules (e.g., this , this , this ), but these all seem to be post-installation and involve generating and registering a key with the kernel. It seems that the kernel wants to automatically sign the module on installation using certs/signing_key.pem (hence the error). Using the advice provided by this Unix Stack Exchange question , I was able to get rid of the error. This generates the x509.genkey file, and then creates the signing_key.pem and signing_key.x509 files in the certs directory in the kernel directory. printf "[ req ]\ndefault_bits = 4096\ndistinguished_name = req_distinguished_name\nprompt = no\nstring_mask = utf8only\nx509_extensions = myexts\n\n[ req_distinguished_name ]\nCN = Modules\n\n[ myexts ]\nbasicConstraints=critical,CA:FALSE\nkeyUsage=digitalSignature\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid" > x509.genkey openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out $(BUILD_DIR)/certs/signing_key.x509 -keyout $(BUILD_DIR)/certs/signing_key.pem After running this and make modules_install, the module seems to install correctly. The output of modinfo veikk seems to show a valid signature: filename: /lib/modules/5.1.5-arch1-2-ARCH/extra/veikk.ko.xz license: GPL srcversion: A82263B16A25C763382D8B9 alias: hid:b0003g*v00002FEBp00000003 alias: hid:b0003g*v00002FEBp00000002 alias: hid:b0003g*v00002FEBp00000001 depends: hid retpoline: Y name: veikk vermagic: 5.1.5-arch1-2-ARCH SMP preempt mod_unload sig_id: PKCS#7 signer: Modules sig_key: 27:E8:FC:4A:4E:15:0C:AF:40:D5:A1:A4:10:E5:B5:55:BF:AF:EB:66 sig_hashalgo: sha512 signature: AC:AF:49:16:D4:AD:D9:7B:C5:52:A5:9F:F8:46:1C:DF:93:71:05:00: 4D:BF:96:96:3C:D1:11:19:6F:AC:D5:27:7D:E3:EE:8D:6C:BB:17:F4: 53:D3:FD:EE:85:22:97:57:BB:27:23:9C:8A:04:79:75:99:C4:A0:E6: 29:AF:20:15:87:EA:41:D2:26:00:2B:A1:39:68:28:FE:05:F5:F1:B1: 42:F8:FF:66:C0:6C:B5:17:A1:E7:F4:65:0A:17:64:99:9E:11:86:C0: 94:E7:D5:83:59:50:BE:0D:33:B8:A2:64:66:4F:70:A3:EB:E4:FB:B4: 52:D9:26:9C:57:CC:0D:D6:53:51:C2:90:D6:51:13:83:B6:22:EC:C9: DF:15:1D:1E:34:BD:7A:2D:8F:13:2D:78:8C:D3:EA:43:0B:6C:8D:DA: 9A:DA:A1:74:03:FC:D8:72:D0:96:54:52:60:AB:7A:BB:3C:D0:F4:8C: B7:92:21:B1:D8:02:01:6B:9B:AD:11:1A:90:5B:21:94:12:B7:5A:15: 10:6B:92:FA:74:F5:49:A2:4A:65:FF:4E:B6:9B:08:7B:BD:E5:85:9D: 98:52:A2:E4:D7:B4:0D:90:0D:62:7E:CE:6B:F8:8B:0C:33:76:1E:01: C7:0D:29:8C:97:BC:E1:35:58:2B:55:3F:6E:D9:36:46:50:76:74:67: 1F:B2:F6:C3:6B:24:4D:C1:7E:8D:14:4D:10:2D:1D:80:3C:82:02:1C: A6:87:14:8B:A0:3C:21:EA:DD:A7:CD:9C:D0:1B:DF:84:53:BF:0A:B6: DA:50:C4:AA:FF:90:44:47:4B:9F:8A:1C:C3:14:5D:A3:B5:A4:5F:6F: E1:E0:E2:51:B1:1E:5C:7E:95:70:72:76:3A:9D:53:10:F5:F0:3F:CD: E5:2B:EF:E4:3D:DB:64:65:9B:AE:E6:23:6E:4E:F1:4B:94:17:FF:FF: 06:A0:79:84:E1:BE:24:9D:93:B9:D4:94:41:76:92:D5:5B:8F:F6:4F: 98:B9:24:6F:01:CD:4F:49:52:15:48:79:4A:F3:46:CF:8A:AC:21:A9: 64:81:AC:01:15:80:06:F4:C3:9D:8A:C0:48:A6:53:C5:81:C2:DD:B1: C6:B9:80:B8:A9:C2:89:B8:20:C5:89:81:90:15:86:78:F7:09:3F:FD: F6:AC:54:57:8C:E0:B4:62:E0:78:CB:59:63:FA:E6:E2:8C:78:59:31: 92:E5:B5:E3:75:FE:F6:8F:82:3B:D6:5B:B1:84:E9:A8:9E:A4:B0:03: 99:8D:41:55:FF:11:A8:B6:A3:B9:EA:1D:5C:58:F7:D2:A6:F4:3A:C9: B1:E6:83:10:B7:E5:E4:15:28:2C:62:96 My question: **Is this a recommended (and safe) way to sign a driver?** Preferably, I would like to have end users not have to worry about the hassle of signing the drivers themselves when installing. Because my understanding is a little muddy, here are a few questions I don't understand: - Is this automatic signing on build as secure as the tutorials above for manually signing a driver after installation? I.e., I'm generating a key to sign it with, but that key never (at least explicitly) is loaded into the kernel. - How are drivers normally distributed and signed? I would expect large companies with proprietary drivers for Linux to have their modules signed some way, such as Nvidia. - Is there a way to pre-sign a module (on my end)? This seems unlikely because the module should be built for any system it's to be used on. I would like to keep Secure Boot on (disabling it allows the unsigned module to load, but clients would prefer to have Secure Boot on).

I'm using a Debian-based OS distribution (Devuan, to be specific). I'm trying to use the apt-add-repository Python-based program, which is part of the software-properties-common package . Unfortunately, running it - fails, and I get:

Traceback (most recent call last):
  File "/usr/bin/apt-add-repository", line 361, in 
    addaptrepo = AddAptRepository()
  File "/usr/bin/apt-add-repository", line 39, in __init__
    self.distro.get_sources(self.sourceslist)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/aptsources/distro.py", line 92, in get_sources
    raise NoDistroTemplateException(
    ......
    )
aptsources.distro.NoDistroTemplateException: Error: could not find a distribution template for devuan/excalibur ceres

I've gone over the script itself - the "templates" are not there; I've also looked through a couple of potential files it imports, also no luck, or perhaps I've missed something. My questions: * Where are those "distribution templates" actually located? * How can I add a template to suit my distribution?

Where do I find the fingerprints of the gpg keys used to sign 1. the ISO images of the Linux Mint? 2. Linux Mint packages? I would like to find a place where I can download them using a secured method (https).

I am trying to update the Gnome Web (org.gnome.Epiphany) flatpak, on Ubuntu 22.04.4 LTS (on WSL2). One specific resource, "org.freedesktop.Platform.openh264" always freezes when downloading. My internet connection is fine, and I can download other files/resources from Flathub fine, just not this one:

user@device:~$ sudo flatpak update org.gnome.Epiphany
[sudo] password for user:
Looking for updates…
Required runtime for org.gnome.Epiphany/x86_64/stable (runtime/org.gnome.Platform/x86_64/46) found in remote flathub
Do you want to install it? [Y/n]: y

        ID                                        Branch         Op        Remote         Download
 1. [—] org.freedesktop.Platform.openh264         2.4.1          i         flathub            1.0 kB / 976.5 kB
 2. [ ] org.gnome.Platform.Locale                 46             i         flathub        < 367.4 MB
 3. [ ] org.gnome.Platform                        46             i         flathub        < 346.3 MB
 4. [ ] org.gnome.Epiphany                        stable         u         flathub         < 11.6 MB

Installing 1/4… █▌                     8%

I have tried uninstalling, force-reinstalling, running flatpak repair, rebooting the system, switching wifi networks, using a VPN, everything I can think of. Is there any way I can find, either from the flatpak cli or somewhere online, the specific version of "org.freedesktop.Platform.openh264" it's trying to download and what URL it is being served from? I think I would be able to download it in a browser or using curl, or find a mirror repo or something, and manually install it from the file, but I don't know how to find that information. (Alternatively, if I found or compiled an up-to-date _.flatpak_ file for Gnome Web to do a manual offline install, would that include these other runtime packages bundled in it?)

I use linux mint 21.3 Cinnamon Edition. I see in the software manager under licence, where it say changing is not allowed. what is the meaning of it? Please tell me. **(Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.)**

I'm using autoconf and automake to build a tiny project. For the project's manual, I've used OpenBSD's native [mdoc format](http://man.openbsd.org/mdoc) , and the installable man-formatted manual is generated from this using [the mandoc utility](http://man.openbsd.org/mdoc) . The man-formatted manual will be installed as the actual manual with make install, as some systems do not grok mdoc properly, or at all. In the project's doc directory, I have a Makefile.am file that currently looks like the following (the manual is for a utility called shell): dist_man1_MANS= shell.man EXTRA_DIST= shell.mdoc shell.man: shell.mdoc $(mandoc) -T man shell.mdoc >shell.man $(mandoc) will be properly expanded to the full path of the mandoc formatter (this variable is set by the configure script). This allows me to run make dist which creates shell.man and then creates a compressed tar archive containing both the source mdoc manual and the generated man manual along with the rest of the project's distribution files: $ tar tzf shell-toolbox-20180401.tar.gz ... shell-toolbox-20180401/doc/Makefile.am shell-toolbox-20180401/doc/shell.man shell-toolbox-20180401/doc/Makefile.in shell-toolbox-20180401/doc/shell.mdoc This tar archive can later be used to successfully build and install the project, and its manual. So far so good. However, if I run [make distcheck](http://www.gnu.org/software/automake/manual/html_node/Checking-the-Distribution.html) (because I'd like to make sure it absolutely positively works): $ make distcheck ... checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/local/bin/gmkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for mandoc... /usr/bin/mandoc checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating doc/Makefile config.status: creating src/shell Making all in src Making all in doc /usr/bin/mandoc -T man shell.mdoc >shell.man mandoc: shell.mdoc: ERROR: No such file or directory *** Error 3 in shell-toolbox-20180401/_build/sub/doc (Makefile:459 'shell.man') *** Error 1 in shell-toolbox-20180401/_build/sub (Makefile:345 'all-recursive') *** Error 1 in /home/myself/local/build/shell-toolbox (Makefile:576 'distcheck') It seems as if the source mdoc file is not available in the build directory when the manual needs to be built: $ ls shell-toolbox-20180401/_build/sub/doc total 32 -rw-r--r-- 1 myself myself 14989 Apr 1 21:35 Makefile -rw-r--r-- 1 myself myself 0 Apr 1 21:35 shell.man The zero-length shell.man file comes from the failed mandoc run. The source is available in the unpacked archive, but just not copied over to the _build/sub/doc directory: $ ls -l shell-toolbox-20180401/doc total 48 -r--r--r-- 1 myself myself 178 Apr 1 21:23 Makefile.am -r--r--r-- 1 myself myself 13925 Apr 1 21:23 Makefile.in -r--r--r-- 1 myself myself 3443 Apr 1 21:27 shell.man -r--r--r-- 1 myself myself 3319 Apr 1 18:54 shell.mdoc **Question**: What automake magic do I have to apply to get make distcheck to properly copy the mdoc source to the build directory before it attempts to generate the man-formatted manual? I'm looking for a "proper" way of doing this, not a hack. I tried using man1_SOURCES= shell.mdoc but that makes automake complain with doc/Makefile.am:2: warning: variable 'man1_SOURCES' is defined but no program or doc/Makefile.am:2: library has 'man1' as canonical name (possible typo) --- Another way to provoke this error is to manually do a [VPATH build](http://www.gnu.org/software/automake/manual/html_node/VPATH-Builds.html) (which is basically what's happening when doing make distcheck): $ make distclean $ mkdir t $ cd t $ ../configure checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /usr/local/bin/gmkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for mandoc... /usr/bin/mandoc checking that generated files are newer than configure... done configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating doc/Makefile config.status: creating src/shell $ make Making all in src Making all in doc /usr/bin/mandoc -T man shell.mdoc >shell.man mandoc: shell.mdoc: ERROR: No such file or directory *** Error 3 in doc (Makefile:459 'shell.man') *** Error 1 in /home/myself/local/build/shell-toolbox/t (Makefile:345 'all-recursive') $ ls -l doc total 32 -rw-r--r-- 1 myself myself 14589 Apr 1 22:42 Makefile -rw-r--r-- 1 myself myself 0 Apr 1 22:42 shell.man

We are fairly new to Linux. We are looking for Suitable Linux based Operating System (distribution) for python, Maxima (computer algebra system), c programming and jupyter notebook. We want to install these on 30 computer systems. Which Linux based Operating System would be useful? Is there any distribution which comes pre-installed with one or more of these? We will prefer to have some good GUI as users are not acquainted with Linux but familiar with Windows operating system. Ours is educational institute. Any help will be highly appreciated. Thanks.

We use a Linux-based virtual machine with internally developed applications in a cross-organizational area with many different users. The applications and updates are not publicly available, but are currently distributed as a protected download package with installation script. However, this is costly and error-prone. In the future, updates will be automatically requested and executed by the virtual machines. This requires an infrastructure or software that meets the following criteria: - Secure access via user credentials, key or similar options. - control of access for different user groups, so that not all users have access to all applications While searching for such a solution, I could not yet find any software that covers the criteria. I would be grateful here also for hints, for which terms or for which kind of software I can search. The central control and provisioning of clients (opsi, m23, ...) seems to me not the right thing, the clients should not be managed and configured centrally, but these should be able to request the updates. A PPA doesn't seem suitable when it comes to secured access or different user groups. If there is nothing suitable for the purpose, a custom development would also be conceivable. Before that, however, I would like to get as broad an overview as possible of which solutions might be considered. I am grateful for any ideas and suggestions.

If Linux distributions differ by the set of applications, then is it possible to convert one Linux distribution to another by simply copying the apps of that distribution to the target distribution? For example, if I will copy the apps of Ubuntu and paste it to Kali, would that make Kali become Ubuntu, or vice versa, etc., etc.?

On Debian/Ubuntu systems I can use the following line to create a user and group named "dv" just for usage on a daemon service (systemd). No SSH login, no password, no home directory etc: adduser --system --no-create-home --group dv I realized that this does not work on Suse and RedHat/CentOS distributions (and many more). As this should be a helping bash script for installation, I need the above in a cross distro way. I found that **useradd** command is available on all these distros. But how to get the same result on all of them? Is there a generic way of calling **useradd** to gain the same as with the above **adduser** command? Or do I need to have some if/then/else constructs to support them? Maybe there is already some working example somewhere?

I am working on some Linux application. It is the right moment to start thinking about deployment. So my question is: How to create a one file installer like for example *.run or *.sh files that sometimes can be found in internet (for example nVidia drivers or Wolfram Mathematica CDF).

I'm developing a project that ideally should work on any Linux distribution or FreeBSD with minimal manual effort to install, without having to be packaged in each distribution's repository. It includes an Nginx config file that's copied to /etc/nginx/ with an install script. The obstacle: not all OSes store it in the same place. In every Linux I know, it goes in /etc/nginx/, but on FreeBSD, it goes in /usr/local/etc/nginx/. (My project has Nginx as a dependency, and Nginx *is* expected to be installed through the OS package manager.) So, what is the best way to programmatically determine where the config file needs to go?

I would like to use Debian packages to deploy software (a web application) to a Debian-based server. For reasons beyond the scope of this question we cannot use Docker (or a PaaS such as Heroku) to avoid this problem altogether. The setup is pretty simple, we have a Git repository with some source code. We work on branches and run the code locally (no Debian-specific stuff here, in fact development is done on various & different operating systems); when we're happy we commit to a branch, wait for CI tests to run, review & merge to master. Upon a merge to master happens we want to deploy this to a Debian server. Currently this is done "manually" via a shell script that moves files in the right place and restarts the right services. This is fragile for many reasons (the script might fail in the middle and leave the production server in an inconsistent state) and I'd like something better. Debian packages sound like a good solution. They have built-in handling for many of the things we currently do manually via the deployment script such as copying files, (re)starting systemd services, etc. Furthermore our CI/CD system (Azure DevOps) has the concept of _artifacts_ which are stored and can be redeployed manually at any time, so it fits well with the idea of a .deb that contains the entire application. The problems I see: * Debian insists on the concept of releases & versions. In our case we don't have versions and don't want them; all we care about is to be able to deploy whatever the current master branch is - the .deb file itself will be copied and dpkg'd through a shell script over SSH so versioning for the purpose of maintaining an APT repository is irrelevant. * Debian insists on changelogs. We don't want to maintain those manually; gbp dch --ignore-branch -S generates one for us but it squashes all the commits into a single "change", and furthermore still doesn't solve the version problem. * The majority of the tooling & documentation assumes I have some sort of versioned source tarball and the "Debian" part of it is its own repo. Not only do I not have a concept of versions but the application's source and the Debian packaging tooling for it is in the same repo. Questions: * Is this a good idea to begin with? * How do I completely ignore/work around the concept of versions and changelogs? * Can I still preserve the install vs upgrade distinction for packages? My application has different logic for whether we're upgrading a different installation or doing a new installation from scratch (for example, on a new installation the application will depend on a configuration file that needs to be created manually, so starting the systemd service automatically is a no-go, however during an upgrade we assume the configuration file is already there so if the service is already started we do want to restart it).

I faced a problem of building a tarball for my application manually to prepare a distribution. My project structure looks as project_root | |__resources | |____config.conf | .... |__target |____release |___bin |___app.bin So I need to tar 2 files as foolows: project_root/resource/config.conf --> ./app/config/example/config.conf project_root/target/release/bin/app.bin --> ./app/app.bin There is a good example of how to tar multiple files and for tar with relative paths , but for a single file. Is there a way to tar the two files in the scheme above?

I've made a deb package which contains binaries of my software. Also I've made a repo and configured it so user can install updates using sudo apt-get update mypackage && sudo apt-get install mypackage. After installation binaries of my application will be extracted to /opt/mypackage and .desktop file will be extracted to /usr/share/applications so user can launch the application without issues. What I want to know is how can I install updates of my application from code when they are available in the user system as it's done in other applications? I'm asking because it requires root password when running apt-get install or sudo gdebi mypackage. At the moment when I want to push new updates - I build new .deb package and put it to the repository. Should I do it in the other way? Or maybe I was wrong when decided to put binaries in /opt directory? Any help will be appreciated. If you know some open-source projects where this part of the functionality is implemented could you please share it? Also, I can create a simple repository which reproduces what I tried to explain here.

I just noticed that the current update of the distribution I'm using (version 18.3 of Linux Mint) boasts supports for "Flatpak". So, I ddg'ed it and found [this Wikipedia page](https://en.wikipedia.org/wiki/Flatpak) about yet. So I understand Flatpak is some sort of sandboxing framework - but I don't see anything which suggests why it's useful and interesting for me to run all sorts of apps in "isolation" at all - unless I'm managing some physical machine offering "cloud" services. Why would I want to do this? Going on the Flatpak website, it seems like it's offering a sort of a bypass around the individual distributions' package management system + support for multiple versions of the same package. Now, the second feature I like, but isn't it just something that distro package management systems need to start supporting better? As for the first part - it sounds like the [14 competing standards situation from xkcd](https://xkcd.com/927/) . Am I misunderstanding something here? PS - How is it different than Docker, which also does a sort of a sandboxing that's not as strong as putting up a virtual machine?

Suppose I have a set of pre-requisites I need to install for any of a number of linux distributions. In this case, I'd need to switch my install expression against the distribution. I am aware of uname -v, and I am aware that I can inspect the output of this command with some friable string expression and logic. However what I really need is:

V=$(something-like-uname)
echo $V

"Debian"
# or
"Gentoo"
# or
"Redhat"
# or 
"Arch"
# etc.

What is this command? (Does it exist?)

What's the difference between the different branches of the repositories for a specific version and flavor of Ubuntu? Such as main/universe/restricted and so on?

I'm working on some shared library and now stuck with the problem that some software refused to pick the newer version, but some has to use the latest since it has some crucial changes. So I need to keep 2 different versions of the same library. The problem is I use sort of "fat" package libel.deb that contains header files needed for developers as well as the actual binary so compatible with the header files. I'm thinking of splitting the libel.deb into libel-dev.deb and libel1-bin.deb, libel2-bin.deb. But the problem is the libel-dev contains headers compatible with le latest version of the library so developers actually need to install 2 packages: libel-dev and libel2-bin which is error-prone (very easy to install incompatible dev and bin packages). How to go about this issue? Probably it is possible for dev-package to contain binaries as well...?

I have the following install script for ubuntu : #!/bin/bash sudo apt update sudo apt full-upgrade -y sudo apt install jq sudo apt autoclean -y sudo apt autoremove will the following work under fedora, red hat, mageia or other rpm-based distros ...or does the syntax have to change more? #!/bin/bash sudo rpm update sudo rpm full-upgrade -y sudo rpm install jq sudo rpm autoclean -y sudo rpm autoremove also can I do something to the effect of the following? : #!/bin/bash if [ $(command -v yum) ] then sudo yum update sudo yum full-upgrade -y sudo yum install jq sudo yum autoclean -y sudo yum autoremove else sudo rpm update sudo rpm full-upgrade -y sudo rpm install jq sudo rpm autoclean -y sudo rpm autoremove fi