Mender artifact signing issue - no key for verification provided

General Discussions
,
1

Hello guys,

As per one of my previous issues, I have decided to use mender-configure addon via generating artifacts for the update module manually (link). This allowed me to enable artifact signing.

I have managed to successfully generate public/private key pair. However, I am a bit confused with the output I am seeing after running mender-artifact and specifying the key path (I used output form this topics message as the source of truth). I am seeing the following:

Mender artifact:
  Name: artifact_name
  Format: mender
  Version: 3
  Signature: signed but no key for verification provided; please use `-k` option for providing verification key
  Compatible devices: '[raspberrypi3]'
  Provides group: 
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts:

Updates:
    0:
    Type:   mender-configure
    Provides:
	data-partition.mender-configure.version: v4.0.0
    Depends: Nothing
    Clears Provides: ["data-partition.mender-configure.*"]
    Metadata:
	{
	  "test": "a"
	}
    Files: None

I am a bit worried about following line:
Signature: signed but no key for verification provided; please use -k option for providing verification key

The command I run was:

mender-artifact write module-image \
    -T mender-configure \
    --artifact-name "artifact_name" \
    --device-type raspberrypi3 \
    --output-path artifact.mender \
    --software-filesystem data-partition \
    --software-version "v4.0.0" \
    --meta-data test.json \
    --key private_v1.key

I have tried validating the artifact as per the docs, using mender-artifact validate and am getting following output:

Artifact file 'artifact.mender' validated successfully

However, this still does not fix the signature issue. I have tried overwriting the signature with mender-artifact sign and setting -f flag - results are still the same. Afterwards, I have tried generating an artifact without a signature and then signing it separately, but it leads to the same notice about absent signature verification. Moreover, I have tried various update modules and all of them lead to the same issue of non-existing signature verification.

I have exhausted options to try and cannot seem to find the cause of the issue. Do I need to worry about the issue I am seeing? If so, any ideas on the way to fix it?

PS mender-artifact version - 3.10.1

2

It looks signed correctly. You need a different key when verifying the artifact. Use mender-artifact read -k <PATH> and specify the public key. This should be the same key that you install on the device.

3

Oh… I see, I need to provide it with a public key for it to check against it (aka the key that will be stored on destination devices running mender-client). That makes perfect sense now. I thought it was not happy with me during mender-artifact write step. After specifying the public key during mender-artifact read step, I am receiving the expected output:

Mender artifact:
  Name: artifact_name
  Format: mender
  Version: 3
  Signature: signed and verified correctly
  Compatible devices: '[raspberrypi3]'
  Provides group: 
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts:

Updates:
    0:
    Type:   mender-configure
    Provides:
	data-partition.mender-configure.version: v4.0.0
    Depends: Nothing
    Clears Provides: ["data-partition.mender-configure.*"]
    Metadata:
	{
	  "test": "a"
	}
    Files: None

So, there is no explicit verification written at this stage. It just verifies whether private and public keys are matching. I think I got it. Thanks for a prompt response. Marking your answer as a solution.

LE

Full command should look like this: mender-artifact read -k <PATH_TO_PUBLIC_KEY> <PATH_TO_ARTIFACT>