Signing raspbian image, no entry in the mender.conf and also no public key on the device

PFGO · August 11, 2020, 3:40pm

Hello community,

I’ve problems with signing and verification for the raspbian buster image.

I did following:

1.) Created a golden image with the latest buster version

2.) wrote it back

3.) created an rsa private key and then the public key, as described in the article https://docs.mender.io/2.4/artifacts/signing-and-verification

4.) created a config file with the following content

RASPBERRYPI_CONFIG="raspberrypi3"
RASPBERRYPI_KERNEL_IMAGE="kernel7.img"
MENDER_KERNEL_IMAGETYPE="zImage"
MENDER_DEVICE_TYPE="raspberrypi3"
MENDER_ENABLE_SYSTEMD=n
MENDER_STORAGE_TOTAL_SIZE_MB="7448"
MENDER_ARTIFACT_SIGNING_KEY="/home/username/signing/private.key"
MENDER_ARTIFACT_VERIFY_KEY="/home/username/signing/public.key"
source configs/raspberrypi_config

5.) fired up the commend and also added the key parameters to the console, because it didn’t worked from the config file.

MENDER_ARTIFACT_NAME=imageA-production-v1.5 \
MENDER_ARTIFACT_SIGNING_KEY="/home/username/signing/private.key" \
MENDER_ARTIFACT_VERIFY_KEY="/home/username/signing/public.key" \
 ./docker-mender-convert \
--disk-image input/golden-imageA-v1.5.img \
--config configs/imageA \
--overlay ./rootfs_overlay_demo

6.) Flashed the production image to the pi

The Problem is now, the public key is not stored on the device and I get the following error when I test it to update the system with the created artifact.

INFO[0000] No public key was provided for authenticating the artifact 

ERRO[0000] Reading headers failed: installer: failed to read Artifact: readHeaderV3: handleHeaderReads: Artifact Payload type 'rootfs-image' is not supported by this Mender Client. Ensure that the Mender Client is fully integrated and that the RootfsPartA/B configuration variables are set correctly in 'mender.conf' 

ERRO[0000] installer: failed to read Artifact: readHeaderV3: handleHeaderReads: Artifact Payload type 'rootfs-image' is not supported by this Mender Client. Ensure that the Mender Client is fully integrated and that the RootfsPartA/B configuration variables are set correctly in 'mender.conf'

Did I miss something?

Thank you in advance,
cheers PFGO

drewmoseley · August 11, 2020, 7:31pm

Hi @PFGO, those variables are used for Yocto builds, not for mender-convert.

I think you need to store the public.key file in the rootfs_overlay_demo/etc/mender/ directory with the name artifact-verify-key.pem.

You also need to create a custom mender_create_artifact function as shown here that adds the --key /home/username/signing/private.key option to the invocation of mender-convert.

Drew

PFGO · August 12, 2020, 1:13pm

Ok thank you this seems to be working but I got another problem with it.

If I use the rootfs overlays, it changes the etc permissions and then my scripts which are calling hostnamectl for example, stopped working.

Any idea?

Thank you in advance,

cheers PFGO

drewmoseley · August 12, 2020, 3:44pm

Which specific files/directories get changed? You need to ensure that the files and directories in your overlay have the same ownership and permissions you want them to have on the target.

Drew

Topic		Replies	Views
Problems with Raspbian Buster General Discussions	12	2094	August 12, 2019
Issue installing artifact on Raspberry PI 3 General Discussions raspberry-pi-3	1	807	June 3, 2019
Best way to setup Mender on multiple devices General Discussions raspberry-pi-4	9	1238	December 10, 2020
Creating update artifact for Raspberry pi General Discussions	1	537	October 7, 2019
Error: Fetching Artifact headers failed: installer: failed to read Artifact: type_info provides values not yet supported General Discussions raspberry-pi-3 , mender-convert	12	1661	November 28, 2020

Signing raspbian image, no entry in the mender.conf and also no public key on the device

Related Topics