Signing raspbian image, no entry in the mender.conf and also no public key on the device

PFGO · August 11, 2020, 3:40pm

Hello community,

I’ve problems with signing and verification for the raspbian buster image.

I did following:

1.) Created a golden image with the latest buster version

2.) wrote it back

3.) created an rsa private key and then the public key, as described in the article https://docs.mender.io/2.4/artifacts/signing-and-verification

4.) created a config file with the following content

RASPBERRYPI_CONFIG="raspberrypi3"
RASPBERRYPI_KERNEL_IMAGE="kernel7.img"
MENDER_KERNEL_IMAGETYPE="zImage"
MENDER_DEVICE_TYPE="raspberrypi3"
MENDER_ENABLE_SYSTEMD=n
MENDER_STORAGE_TOTAL_SIZE_MB="7448"
MENDER_ARTIFACT_SIGNING_KEY="/home/username/signing/private.key"
MENDER_ARTIFACT_VERIFY_KEY="/home/username/signing/public.key"
source configs/raspberrypi_config

5.) fired up the commend and also added the key parameters to the console, because it didn’t worked from the config file.

MENDER_ARTIFACT_NAME=imageA-production-v1.5 \
MENDER_ARTIFACT_SIGNING_KEY="/home/username/signing/private.key" \
MENDER_ARTIFACT_VERIFY_KEY="/home/username/signing/public.key" \
 ./docker-mender-convert \
--disk-image input/golden-imageA-v1.5.img \
--config configs/imageA \
--overlay ./rootfs_overlay_demo

6.) Flashed the production image to the pi

The Problem is now, the public key is not stored on the device and I get the following error when I test it to update the system with the created artifact.

INFO[0000] No public key was provided for authenticating the artifact 

ERRO[0000] Reading headers failed: installer: failed to read Artifact: readHeaderV3: handleHeaderReads: Artifact Payload type 'rootfs-image' is not supported by this Mender Client. Ensure that the Mender Client is fully integrated and that the RootfsPartA/B configuration variables are set correctly in 'mender.conf' 

ERRO[0000] installer: failed to read Artifact: readHeaderV3: handleHeaderReads: Artifact Payload type 'rootfs-image' is not supported by this Mender Client. Ensure that the Mender Client is fully integrated and that the RootfsPartA/B configuration variables are set correctly in 'mender.conf'

Did I miss something?

Thank you in advance,
cheers PFGO

drewmoseley · August 11, 2020, 7:31pm

Hi @PFGO, those variables are used for Yocto builds, not for mender-convert.

I think you need to store the public.key file in the rootfs_overlay_demo/etc/mender/ directory with the name artifact-verify-key.pem.

You also need to create a custom mender_create_artifact function as shown here that adds the --key /home/username/signing/private.key option to the invocation of mender-convert.

Drew

PFGO · August 12, 2020, 1:13pm

Ok thank you this seems to be working but I got another problem with it.

If I use the rootfs overlays, it changes the etc permissions and then my scripts which are calling hostnamectl for example, stopped working.

Any idea?

Thank you in advance,

cheers PFGO

drewmoseley · August 12, 2020, 3:44pm

Which specific files/directories get changed? You need to ensure that the files and directories in your overlay have the same ownership and permissions you want them to have on the target.

Drew

Topic		Replies	Views
Mender artifact signing issue - no key for verification provided General Discussions mender-artifact , signature-artifacts	2	206	November 14, 2023
Issue with key verification using Directory Update Module General Discussions	25	1504	June 28, 2019
Issue with Mender Artifact signature when using Docker Update Module General Discussions	5	714	September 24, 2019
Problems with Raspbian Buster General Discussions	12	2158	August 12, 2019
Issue installing artifact on Raspberry PI 3 General Discussions raspberry-pi-3	1	841	June 3, 2019

Signing raspbian image, no entry in the mender.conf and also no public key on the device

Related topics