Re: [RAUC] RAUC update systems with release keys

["Jan Lübbe" <jlu@pengutronix.de>]

On Mon, 2022-03-14 at 09:40 +0000, Yazdani, Reyhaneh wrote:
> Hi Jan,
> 
> Thanks for quick response.
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Jan Lübbe <jlu@pengutronix.de>
> > Gesendet: Montag, 14. März 2022 09:39
> > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de
> > Betreff: Re: [RAUC] RAUC update systems with release keys
> > 
> > Hi Reyhaneh,
> > 
> > On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote:
> > > Hello,
> > > 
> > > Currently we have some devices which are programmed with development
> > > keys in the past.
> > > Now, we need to use them as final devices with bundle signed with
> > > release keys.
> > > I copied cert file manually to the certificate path in rootfs and try
> > > to use rauc install command to program the device with release-bundle,
> > but it fails.
> > 
> > Just to avoid misunderstandings: You replaced your /etc/rauc/keyring.pem
> > (or another keyring path as configured in your system.com) with the release
> > keyring?
> 
> [Reyhaneh] Yes, I replaced the old /etc/rauc/rauc.cert.pem (which the path is defined in system.conf) with the new one.
> > 
> > Did you restart the rauc service?
> [Reyhaneh] Yes. I ran systemctl restart rauc

Good. Which error output do you see from the rauc service in the journal?

> > > What would be the correct procedure to bring development-devices into
> > > final- devices?
> > 
> > Your approach should work in general, but there are others.
> > 
> > You could also have the release CA certificate as a second cert in the
> > development image keyring. In that case, you should be careful with
> > migrations, though, as you probably want to avoid unexpected leftovers
> > from development software.

> If I want to do resign the bundle instead of bitbaking to have new bundle with release key, then I should use 
> "rauc resign" command. Yes? Is the below command correct?
> 
> rauc resign --cert=new-cert --key=new-key --keyring=old-keyring input-bundle output-bundle

You could add --signing-keyring=new-keyring let RAUC check that the resulting
signature can be verified with the new keyring.

Also, please note that when you use 'rauc resign', you need to select the
correct keyring file in a hook. (otherwise you're probably installing just the
development keyring). There is an example in
https://rauc.readthedocs.io/en/latest/advanced.html#switching-the-keyring-spki-hashes

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
RAUC mailing list