Multiple ArtifactVerifyKeys?

The Mender client only accepts a single ArtifactVerifyKey: Configuration options | Mender documentation
Can we support multiple keys? This is useful for key rotation, or having some devices that can accept updates that are signed with different keys.

Key rotation usually isn’t a problem, because you can use one artifact signed with key1 to deploy a new key2, which will then be used for subsequent updates. I can see that signing with multiple keys could be useful, but this is not supported at the moment.

key rotation can definitely be done without, but it certainly makes key rotation nicer, by allowing a grace period for changing keys.

I can probably make do without this feature, since it’s not implemented. But if it were supported, it would open up more possibilities on my end.

just updating the key won’t work if someone wants to update the device to a previous version (not rollback) which I think many enterprises do for many reasons. I think a good feature is to allow signing an artifact with multiple keys so the mender client can go through all the signatures and accept the first one it can verify.

I like this approach. In our use case we have multiple stakeholders which are creating application artifacts for the same device and it would be great if every stakeholder could use its own signing key

I think this could be useful as well, though in general I don’t think there is a lot of interest for it so we don’t have any plans to implement it as of now.

It’s open source, so contributions are welcome. :wink:

1 Like

I have a PR for this, still a WIP: feat: Support multiple verification keys by Michaelhobo · Pull Request #1045 · mendersoftware/mender · GitHub

1 Like

This feature was merged last month, it should be available in Mender 3.5: feat: document new ArtifactVerifyKeys option by Michaelhobo · Pull Request #1975 · mendersoftware/mender-docs · GitHub