Download_Error script is not run if artifact signature is invalid

Hi there,

In our product, we track the progress of Mender updates using state scripts that notify our software about a state change. In one situation, however, this approach does not work. If the artifact has an invalid signature (not verifiable with artifact-verify-key), Mender client does not run the Download_Error script but changes to Idle immediately.

time="2023-03-10T16:33:03Z" level=info msg="State transition: update-check [Sync] -> update-fetch [Download_Enter]"
time="2023-03-10T16:33:03Z" level=info msg="Executing script: Download_Enter_10_Report"
time="2023-03-10T16:33:03Z" level=info msg="Running Mender client version: 3.1.0"
time="2023-03-10T16:33:03Z" level=info msg="State transition: update-fetch [Download_Enter] -> update-store [Download_Enter]"
time="2023-03-10T16:33:03Z" level=error msg="Fetching Artifact headers failed: installer: failed to read Artifact: readHeaderV3: reader: invalid signature: crypto/rsa: verification error"
time="2023-03-10T16:33:03Z" level=info msg="State transition: update-store [Download_Enter] -> update-status-report [none]"
time="2023-03-10T16:33:03Z" level=info msg="State transition: update-status-report [none] -> idle [Idle]"

Is it a bug in Mender client or is this behavior intended? Is there a way for our software to be notified of such a condition?

We are using Mender client 3.1.0 (it seems that this behavior has not changed since).

Thanks for your help.

I have to reproduce it but if this turns to be the case it does look like a bug.
Do please note that 3.1 is not supported and I will be testing this on an LTS instead.


I’ve reproduced the issue and created a ticket about it.
You can track the progress here: [MEN-6402] - Mender and CFEngine (by Jira