Mender 2.0 beta / mender-artifact 3.0.0b1: "Error selecting images for modification: error validating signature"

thud
#1

I have upgraded to mender 2.0 beta and mender-artifact 3.0.0b1. When I try signing my mender artifact I get this error: “Error selecting images for modification: error validating signature”.
When using mender 1.6 and mender-artifact version 2.3.0 with the same key, it was working as it should. I am using thud branch
Any suggestions?

Thanks for your help!

#2

Hi @jostor,

Can you share the full command that you are running?

#3

I am running./mender-artifact modify artifact-signed.mender -k private.key

Just realized there is also a mender-artifact sign command. This command runs without errors. What is the difference?

#4

Oki, I see it

$ mender-artifact modify my-update-1.0-signed.mender -k private.key
Error selecting images for modification: error validating signature
$ mender-artifact -version
mender-artifact version 3.0.0b1
#5

The difference is different code paths but I do not have detailed insights in this part. This looks like a bug to me and I have created a bug in the tracker where you can track progress of this.

https://tracker.mender.io/browse/MEN-2486

Thanks for reporting.

#6

Ok, thanks for your help!

#7

Hi @jostor and welcome to Mender Hub!

I am working in the bug you reported. I actually found two related issues, but not yet the root cause for yours.

I need to better understand your workflow. I think you do something like:

  1. Create the artifact with mender-artifact write rootfs ... (not signed)
  2. Then signing it with mender-artifact modify -k ...

Is that correct? That workflow is not how mender-artifact is meant to be used. And it fails the same way for me in v2.3.0 and v3.0.0b1

Are you doing something else?

Thanks!

#8

@jostor, some further investigation from our side and it seems that the error you reported (or similar) has been present for a long time and last time this worked was in 2.2.0 version of mender-artifact.

Would be really helpful if you can share the exact commands you used and version when it worked, and when it did not.

I have added some additional information to the ticket and would like to see that we get comparable results to eliminate that it would be something environment specific.

#9

Hi,
Sorry for replying so late. I have been busy with other stuff the last week, and had not checked this thread until today.
I have been building mender artifact with yocto.
After this I have been using the command found here: https://docs.mender.io/2.0/artifacts/signing-and-verification#an-existing-mender-artifact
mender-artifact modify artifact-signed.mender -k private.key
This was working fine before upgrading meta-mender, mender and mender-artifact.
The version I had of mender-artifact before was 2.3.0. Now I have 3.0.0b1

What is the correct way to sign the artifact after building it with bitbake?

Please let me know if you need additional information.

#10

You can use the following command to sign artifacts:

mender-artifact sign -k private.key artifact-signed.mender

Doing this trough the modify command seemed to have some limitations and we have actually dropped the support of signing using modify completely in the upcoming 3.0.0 release.

#11

Thanks! I switched to the sign command last week, and it looks like it is working ok.

Another thing: Are there any documentation describing how to upgrade to the newest versions (mender 2 and mender-artifact 3)? When I have built a version 3 mender artifact, this isn’t compatible with Mender 1.6.x / mender-artifact 2.3.x (which is on my device right now), so I cannot upload this to my device. I guess I have to build a version 2 artifact which is including mender 2 and mender-artifact 3, and after uploading this, I can upload version 3 artifacts. Is this correct?

#12

That is correct. You first must update to the 2.0 client, before you can utilize the Mender Artifact V3.