mail archive of the meta-rauc mailing list
 help / color / mirror / Atom feed
From: Thorsten Scherer <>
To: Adrien Martin <>
Cc: Patrick Boettcher <>,
	"" <>,
	"" <>
Subject: Re: [meta-rauc] [RAUC] [Yocto] Rauc certificate expiration management advices
Date: Tue, 3 Sep 2019 23:44:06 +0200	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

Hello Adrien,

On Wed, Aug 14, 2019 at 03:56:07PM +0000, Adrien Martin wrote:
> Hello,
> My name is Adrien Martin, embedded system engineer at STIMIO and I am facing an issue with rauc update security.
> Just to let you know, I don't have much experience with security concepts in general.
> I am using Rauc (v0.4, quite old I admit) for an embedded linux system (imx6ul) with barebox bootloader, all images / bundles are generated via Yocto (Poky)
> Following the documentation, you need to set :
>   *   RAUC_KEY_FILE = "path/to/key.pem"     # What I call the private key
>   *   RAUC_CERT_FILE = "path/to/cert.pem" # What I call the certificate (public key)
> As a result, when generating your image and bundle, you get :
>   *   A linux image with /etc/rauc/cert.pem integrated to your rootfs
>   *   A signed bundle with the key.pem
> My problem is what happens when the certificate is expired ?
> My initial though was, I just have to generate a new cert.pem, based on the same private key.pem with a new valid lifetime period and set up this new cert in the yocto recipe.
> Then, I generate the bundle via Yocto and try to install it.
> This doesn't work and gives me :
> # rauc info /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Reading bundle: /var/volatile/original/msdi-bundle-msdi-imx6-1.raucb
> rauc-Message: Verifying bundle...
> signature verification failed: Verify error:self signed certificate
> It looks like a bundle can only be use with the cert file set in the yocto recipe. This bundle will keep this cert file in /etc/rauc/ folder so all future bundle installations will need the exact same certificate.
> Could you explain me what am I missing ? What method do you recommand to manage certificates expirations over time ?

I guess you're trying to replace the expired certificate in a "Single
Key" scenario, which is not possible [1].  The documentaion lists some
other variants, though I am not sure which one applies best to your
use-case (maybe install hooks??).

> Thank you very much.
> Best regards,
> Adrien MARTIN
> Ingénieur Système Embarqué STIMIO
> 1 Avenue du Professeur Jean Rouxel, ZAC de la Fleuriaye, 44470 Carquefou
> [stimio_logo]
> _______________________________________________
> RAUC mailing list

Best regards,


Thorsten Scherer <>

meta-rauc mailing list

  reply	other threads:[~2019-09-03 21:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-14 15:56 [meta-rauc] " Adrien Martin
2019-09-03 21:44 ` Thorsten Scherer [this message]
2019-09-05 12:17   ` [meta-rauc] [RAUC] " Adrien Martin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox