Issue with key verification using Directory Update Module

I’m trying to use this module, but it seems that there’s something going wrong with key verification.
I used mender-artifact sign to sign the .mender file containing a directory. The device downloads the file, but then sayd:
“Fetching Artifact headers failed: installer: failed to read Artifact: readHeaderV3: reader: invalid signature: crypto/rsa: verification error”

Am I missing something?

I can’t say whether this is the cause of your issue, but there is definitely a serious bug when using the sign command on an artifact using update modules. Signing while creating the original artifact seems to work though, but there is an additional bug in 2.0.0 which prevents the argument from taking effect.

Can you try this workaround:

  1. Download the directory-artifact-gen from 2.0.x.
  2. Using this new generator, create the artifact again, and while doing so, append these arguments to the end:
    -- -k private.key
    
    Where private.key is the key you use to sign the artifact.
  3. Then retry the deployment.

Somehow, using the latest still doesn’t work correctly it seems. Still the same error.

Looking at the mender UI, the package seems signed correctly, and contains the update.tar and dest_dir files.

Is this something in mender client2.0.0?

Any update on this? You guys need more info on my environment or situation to diagnose this?

Server not the hosted cloud mender, but running on 2.0. Client is on 2.0 as well.

according to mender-artifact verify, the resulting .mender file is correct.

Thanks in advance!

Hmm, nothing immediate comes to mind; it’s a brand new error to me. You say that mender-artifact verifies the file. Does that include passing the -k argument and the public key to have the signature verified as well?

Yes, this is including the -k.

1 thing I haven’t tried yet, is to run mender-artifact verify on the device. But this shouldn’t matter.

Any other suggestions to check out? Anyone gotten this to work?

(Also, I’d be happy to do a teamviewer session or so to figure this out…)

Can you post the output from mender-artifact read <artifact.mender>?

Output, including invocation:

./mender-artifact read output.mender -k public.key
Mender artifact:
Name: testapp-3
Format: mender
Version: 3
Signature: signed and verified correctly
Compatible devices: ‘[raspberrypi3]’
Provides group:
Depends on one of artifact(s): []
Depends on one of group(s): []
State scripts:

Updates:
    0:
    Type:   directory
    Provides: Nothing
    Depends: Nothing
    Metadata: Nothing
    Files:
      name:     update.tar
      size:     10240
      modified: 2019-06-11 18:53:39 +0200 DST
      checksum: 5a23f139c5fa97881876cd81b32b3b8c4bda0d8861844e8cc608ca34d68a596a
    Files:
      name:     dest_dir
      size:     9
      modified: 2019-06-11 18:53:39 +0200 DST
      checksum: 77516a23517355d95d8eb3014d6309e5ab38efe8abdfb90bc91ef1191fbd7aef

Nothing out of the ordinary AFAICS. Any chance you could post the artifact? Or perhaps one without sensitive content, if you can still reproduce it then. Preferably the public key as well.

See attached.

My main objective is working around a firmware updating issue I have with my raspberry’s though.

(Attachment public.key is missing)

(Attachment output.mender is missing)

How would I go about posting the artifact and key file? I tried attaching them, but I get an error about dangerous extensions…

I’m not sure but maybe putting them in a zip file will work. I guess it depends on how aggressive discourse is about scanning.

The other option is to put them on google drive or some such and just post a link.

How about posting them at https://send.firefox.com/ ?

Another tool - https://wetransfer.com/

Wasn’t sure if external links were unwanted in here.

There we go: https://wetransfer.com/downloads/6f4300abc87032140226529dd70d06c520190617163507/1e05c370b882fba45b3574219e9db80520190617163507/dfdc3f

I cannot reproduce it unfortunately. With your artifact and key, I get:

installer: authenticated digital signature of artifact

And the install proceeds correctly.

How are you building the client? With Yocto?

Yes, I’m using Yocto.

I have set the following in my local.conf:

PREFERRED_VERSION_pn-mender = “2.%”
PREFERRED_VERSION_pn-mender-artifact = “3.%”
PREFERRED_VERSION_pn-mender-artifact-native = “3.%”

Just to make sure, whether the below version numbers are same as what mentioned in the local.conf? I’m not sure both are taking the same or different versions so asked :slight_smile:

PREFERRED_VERSION_pn-mender = "2.0.%"
PREFERRED_VERSION_pn-mender-artifact = "3.0.%"
PREFERRED_VERSION_pn-mender-artifact-native = "3.0.%"

Yes, but without the 0. part, so my mender version is 2.% instead of 2.0.%
Is that required to get this working?

We only have version 2.0.0 available meaning that 2.0.% and 2.% will both use the same recipe currently and should be unrelated to the problems you are having. Same applies to mender-artifact (3.0.0)

1 Like