Hello, I’m trying to deploy a recently built and signed firmware image to a imx6ull embedded device, but am running into issues during deployment through Mender and which looks to be a case of a signature verification error. This only seems to be the issue with firmware images built recently, as I can deploy images that were built back in June/July with no issue.
Here is a log file of a failed deployment: gist
I have attempted to verify the recently built/signed artifacts using the
mender-artifact utility which is version 2.4.0, with the
./mender-artifact read artifact-signed-image.mender -k public.key Mender artifact: Name: image Format: mender Version: 2 Signature: signed and verified correctly Compatible devices: '[device]' State scripts: Updates: 0: Type: rootfs-image Files: name: image-imx6ull_device.ext4 size: 369098752 modified: 2021-10-15 04:49:14 -0700 PDT checksum: 56db8d59da430e7ff2adad855105ac2f0b1ecfa421297c04eb3bc95382ead691
artifact-verify-key.pem (I’m actually not sure if this is supposed to work as it is a different file format and all, thought I would include it):
$ ./mender-artifact read artifact-signed-image.mender -k artifact-verify-key.pem Mender artifact: Name: image Format: mender Version: 2 Signature: signed; verification using provided key failed Compatible devices: '[device]' State scripts: Updates: 0: Type: rootfs-image Files: name: image-imx6ull_device.ext4 size: 369098752 modified: 2021-10-05 14:59:45 -0700 PDT checksum: 5c09bcdd6428672d0ad5b47c3f23690c62d785bfec2c0a6222415658441770a6
You can see that signature verification fails with the
artifact-verify-key.pem which is present on the device but looking into both the
public.key file and
artifact-verify-key.pem file they are exactly the same (besides file formats). And from what I understand, the
artifact-verify-key.pem is all that is used to verify firmware images on the device.
Is there something I am missing in regards to why this isn’t working?