Problem with the signature of medner-artifact

General Discussions
1

Hi everyone,

I downloaded the tools to create the artifacts (docker update, file update and other update modules), but when I try to execute the signature using the keys generated in RSA, the result is always this:

Signature: signed; verification using provided key failed

I tried to also use “- -k” but nothing, at the end of the generation of the artifact, is always with the same problem.

I’ve tried it with the last artifacts of misery but nothing…

Could anyone give me a hand?

Thanks in advance.

2

Hello @wow102,

Can you share a copy of the full command you are trying to run?

3

Hi @mirzak,

of course, to generate artifacts:


 mender-artifact write module-image -T deb -n ${ARTIFACT_NAME} -t ${DEVICE_TYPE} -o ${OUTPUT_PATH} -f $(echo "$PACKAGES" | sed -e 's/ / -f /g')

Or:

./docker-artifact-gen -n ${ARTIFACT_NAME} -t ${DEVICE_TYPE} -o ${OUTPUT_PATH} ${DOCKER_IMAGES}

To sign the artifacts:

mender-artifact sign artifact.mender -k private.key -o artifact-signed.mender
4

Tried to reproduce,

The following sequence worked for me:

./docker-artifact-gen -n ${ARTIFACT_NAME} -t ${DEVICE_TYPE} -o ${OUTPUT_PATH} ${DOCKER_IMAGES}
Using default tag: latest
latest: Pulling from library/debian
4a56a430b2ba: Pull complete 
Digest: sha256:e25b64a9cf82c72080074d6b1bba7329cdd752d51574971fd37731ed164f3345
Status: Downloaded newer image for debian:latest
docker.io/library/debian:latest
Artifact my-container-update-1.0.mender generated successfully:
Mender artifact:
  Name: my-container-update-1.0
  Format: mender
  Version: 3
  Signature: no signature
  Compatible devices: '[my-device-type]'
  Provides group: 
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts:

Updates:
    0:
    Type:   docker
    Provides: Nothing
    Depends: Nothing
    Metadata:
	{
	  "containers": [
	    "debian@sha256:e25b64a9cf82c72080074d6b1bba7329cdd752d51574971fd37731ed164f3345"
	  ]
	}

$ mender-artifact sign -k private.key -o my-container-update-1.0-signed.mender my-container-update-1.0.mender
$ mender-artifact validate my-container-update-1.0-signed.mender -k public.key 
Artifact file 'my-container-update-1.0-signed.mender' validated successfully
$ mender-artifact read my-container-update-1.0-signed.mender -k public.key 
Mender artifact:
  Name: my-container-update-1.0
  Format: mender
  Version: 3
  Signature: signed and verified correctly
  Compatible devices: '[my-device-type]'
  Provides group: 
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts:

Updates:
    0:
    Type:   docker
    Provides: Nothing
    Depends: Nothing
    Metadata:
	{
	  "containers": [
	    "debian@sha256:e25b64a9cf82c72080074d6b1bba7329cdd752d51574971fd37731ed164f3345"
	  ]
	}

The only difference compared to your sequence of commands is the order of the arguments to mender-artifact sign, but I can not see that this should have any impact. I will test this as well but wanted to share these results first

5

Also tried reording the arguments to mender-artifact sign, still looks ok to me:

$ mender-artifact sign my-container-update-1.0.mender -k private.key -o my-container-update-1.0-signed.mender
$ mender-artifact read my-container-update-1.0-signed.mender -k public.key 
Mender artifact:
  Name: my-container-update-1.0
  Format: mender
  Version: 3
  Signature: signed and verified correctly
  Compatible devices: '[my-device-type]'
  Provides group: 
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts:

Updates:
    0:
    Type:   docker
    Provides: Nothing
    Depends: Nothing
    Metadata:
	{
	  "containers": [
	    "debian@sha256:e25b64a9cf82c72080074d6b1bba7329cdd752d51574971fd37731ed164f3345"
	  ]
	}

I was using:

$ mender-artifact -version
mender-artifact version 3.1.0-dirty