Getting your ducks in a row
Step #0, even before you download the source, is to prepare your workplace.
First: You’re working on Linux aren’t you? You’re not trying to build Linux on a non-Linux OS are you? Well, are you!?
You need to make sure that you have installed devtools for your distribution. Tools like
gcc, etc., are absolutely vital for this.
Lastly, create a new empty directory to work in and move into it.
Get the source
The Linux source can be downloaded from https://www.kernel.org/. There are a bunch of kernel branches there — mainline, stable, longterm, … — but since we’re rolling our own, why not go for the latest and greatest. For me, at the time of writing, is 4.20, and that’s what I’ll be using here.
Right-click on the link you want, and copy the link location to the clipboard. Then go back to the command-line and download and unpack it.
Validate the download
To make sure that you the file you downloaded is what you think it is, it’s a good idea (although not strictly mandatory) to validate it. Note that the URL in the following is identical to the previous one, but with the filetype changed.
gpg --list-packets linux-4.20.tar.sign
This will output something like the following,
off=0 ctb=89 tag=2 hlen=3 plen=563
:signature packet: algo 1, keyid 38DBBDC86092693E
version 4, created 1545637608, md5len 0, sigclass 0x00
digest algo 8, begin of digest 8b 2e
hashed subpkt 33 len 21 (issuer fpr v4 647F28654894E3BD457199BE38DBBDC86092693E)
hashed subpkt 2 len 4 (sig created 2018-12-24)
subpkt 16 len 8 (issuer key ID 38DBBDC86092693E)
data: [4095 bits]
In particular, note the
keyid 38DBBDC86092693E. Yours will almost definitely be different from mine, unless you downloaded the same kernel as me. This value will be used to get the GPG key associated with this file using the following command.
gpg --recv-keys 38DBBDC86092693
This will output something very similar to this.
gpg: key 38DBBDC86092693E: 157 signatures not checked due to missing keys
gpg: key 38DBBDC86092693E: "Greg Kroah-Hartman email@example.com" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Finally, use this key to verify against the file you downloaded.
gpg --verify linux-4.20.tar.sign
This will output a bunch of text. If you don’t see the phrase “Good signature” somewhere in there (as in the following), then something has gone wrong, and you need to re-download the kernel source and signature files. Make sure that you are getting them from a reputable location…
gpg: assuming signed data in 'linux-4.20.tar'
gpg: Signature made Mon 24 Dec 2018 08:46:48 AM CET
gpg: using RSA key 647F28654894E3BD457199BE38DBBDC86092693E
gpg: Good signature from "Greg Kroah-Hartman firstname.lastname@example.org" [unknown]
gpg: aka "Greg Kroah-Hartman email@example.com" [unknown]
gpg: aka "Greg Kroah-Hartman (Linux kernel stable release signing key) firstname.lastname@example.org" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 647F 2865 4894 E3BD 4571 99BE 38DB BDC8 6092 693E
That’s it! You now have a (validated) copy of the Linux kernel source code waiting for you to configure and build for your own system. Congratulations!