Re: [RAUC] RAUC update systems with release keys

Re: [RAUC] RAUC update systems with release keys

[Jan Lübbe]

Hi Reyhaneh,

On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote:
> Hello,
>  
> Currently we have some devices which are programmed with development keys in
> the past.
> Now, we need to use them as final devices with bundle signed with release
> keys. 
> I copied cert file manually to the certificate path in rootfs and try to use
> rauc install command to program the device with release-bundle, but it fails.

Just to avoid misunderstandings: You replaced your /etc/rauc/keyring.pem (or
another keyring path as configured in your system.com) with the release keyring?

Did you restart the rauc service?

> What would be the correct procedure to bring development-devices into final-
> devices?

Your approach should work in general, but there are others.

You could also have the release CA certificate as a second cert in the
development image keyring. In that case, you should be careful with migrations,
though, as you probably want to avoid unexpected leftovers from development
software.

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
RAUC mailing list

Re: [RAUC] RAUC update systems with release keys

[Yazdani, Reyhaneh]

Hi Jan,

Thanks for quick response.

> -----Ursprüngliche Nachricht-----
> Von: Jan Lübbe <jlu@pengutronix.de>
> Gesendet: Montag, 14. März 2022 09:39
> An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de
> Betreff: Re: [RAUC] RAUC update systems with release keys
> 
> Hi Reyhaneh,
> 
> On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote:
> > Hello,
> >
> > Currently we have some devices which are programmed with development
> > keys in the past.
> > Now, we need to use them as final devices with bundle signed with
> > release keys.
> > I copied cert file manually to the certificate path in rootfs and try
> > to use rauc install command to program the device with release-bundle,
> but it fails.
> 
> Just to avoid misunderstandings: You replaced your /etc/rauc/keyring.pem
> (or another keyring path as configured in your system.com) with the release
> keyring?

[Reyhaneh] Yes, I replaced the old /etc/rauc/rauc.cert.pem (which the path is defined in system.conf) with the new one.
> 
> Did you restart the rauc service?
[Reyhaneh] Yes. I ran systemctl restart rauc
> 
> > What would be the correct procedure to bring development-devices into
> > final- devices?
> 
> Your approach should work in general, but there are others.
> 
> You could also have the release CA certificate as a second cert in the
> development image keyring. In that case, you should be careful with
> migrations, though, as you probably want to avoid unexpected leftovers
> from development software.
If I want to do resign the bundle instead of bitbaking to have new bundle with release key, then I should use 
"rauc resign" command. Yes? Is the below command correct?

rauc resign --cert=new-cert --key=new-key --keyring=old-keyring input-bundle output-bundle

Best regards,
Reyhaneh

> 
> Regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
_______________________________________________
RAUC mailing list

Re: [RAUC] RAUC update systems with release keys

[Jan Lübbe]

On Mon, 2022-03-14 at 09:40 +0000, Yazdani, Reyhaneh wrote:
> Hi Jan,
> 
> Thanks for quick response.
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Jan Lübbe <jlu@pengutronix.de>
> > Gesendet: Montag, 14. März 2022 09:39
> > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>; rauc@pengutronix.de
> > Betreff: Re: [RAUC] RAUC update systems with release keys
> > 
> > Hi Reyhaneh,
> > 
> > On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote:
> > > Hello,
> > > 
> > > Currently we have some devices which are programmed with development
> > > keys in the past.
> > > Now, we need to use them as final devices with bundle signed with
> > > release keys.
> > > I copied cert file manually to the certificate path in rootfs and try
> > > to use rauc install command to program the device with release-bundle,
> > but it fails.
> > 
> > Just to avoid misunderstandings: You replaced your /etc/rauc/keyring.pem
> > (or another keyring path as configured in your system.com) with the release
> > keyring?
> 
> [Reyhaneh] Yes, I replaced the old /etc/rauc/rauc.cert.pem (which the path is defined in system.conf) with the new one.
> > 
> > Did you restart the rauc service?
> [Reyhaneh] Yes. I ran systemctl restart rauc

Good. Which error output do you see from the rauc service in the journal?

> > > What would be the correct procedure to bring development-devices into
> > > final- devices?
> > 
> > Your approach should work in general, but there are others.
> > 
> > You could also have the release CA certificate as a second cert in the
> > development image keyring. In that case, you should be careful with
> > migrations, though, as you probably want to avoid unexpected leftovers
> > from development software.

> If I want to do resign the bundle instead of bitbaking to have new bundle with release key, then I should use 
> "rauc resign" command. Yes? Is the below command correct?
> 
> rauc resign --cert=new-cert --key=new-key --keyring=old-keyring input-bundle output-bundle

You could add --signing-keyring=new-keyring let RAUC check that the resulting
signature can be verified with the new keyring.

Also, please note that when you use 'rauc resign', you need to select the
correct keyring file in a hook. (otherwise you're probably installing just the
development keyring). There is an example in
https://rauc.readthedocs.io/en/latest/advanced.html#switching-the-keyring-spki-hashes

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
RAUC mailing list

Re: [RAUC] RAUC update systems with release keys

[Yazdani, Reyhaneh]

> On Mon, 2022-03-14 at 09:40 +0000, Yazdani, Reyhaneh wrote:
> > Hi Jan,
> >
> > Thanks for quick response.
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Jan Lübbe <jlu@pengutronix.de>
> > > Gesendet: Montag, 14. März 2022 09:39
> > > An: Yazdani, Reyhaneh <RYazdani@data-modul.com>;
> rauc@pengutronix.de
> > > Betreff: Re: [RAUC] RAUC update systems with release keys
> > >
> > > Hi Reyhaneh,
> > >
> > > On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote:
> > > > Hello,
> > > >
> > > > Currently we have some devices which are programmed with
> > > > development keys in the past.
> > > > Now, we need to use them as final devices with bundle signed with
> > > > release keys.
> > > > I copied cert file manually to the certificate path in rootfs and
> > > > try to use rauc install command to program the device with
> > > > release-bundle,
> > > but it fails.
> > >
> > > Just to avoid misunderstandings: You replaced your
> > > /etc/rauc/keyring.pem (or another keyring path as configured in your
> > > system.com) with the release keyring?
> >
> > [Reyhaneh] Yes, I replaced the old /etc/rauc/rauc.cert.pem (which the path
> is defined in system.conf) with the new one.
> > >
> > > Did you restart the rauc service?
> > [Reyhaneh] Yes. I ran systemctl restart rauc
> 
> Good. Which error output do you see from the rauc service in the journal?

[Reyhaneh] I found the issue. The time on the device was pretty older than the date of the machine I signed the bundle.
> 
> > > > What would be the correct procedure to bring development-devices
> > > > into
> > > > final- devices?
> > >
> > > Your approach should work in general, but there are others.
> > >
> > > You could also have the release CA certificate as a second cert in
> > > the development image keyring. In that case, you should be careful
> > > with migrations, though, as you probably want to avoid unexpected
> > > leftovers from development software.
> 
> > If I want to do resign the bundle instead of bitbaking to have new
> > bundle with release key, then I should use "rauc resign" command. Yes? Is
> the below command correct?
> >
> > rauc resign --cert=new-cert --key=new-key --keyring=old-keyring
> > input-bundle output-bundle
> 
> You could add --signing-keyring=new-keyring let RAUC check that the
> resulting signature can be verified with the new keyring.
> 
> Also, please note that when you use 'rauc resign', you need to select the
> correct keyring file in a hook. (otherwise you're probably installing just the
> development keyring). There is an example in https://imsva91-
> ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2frauc.re
> adthedocs.io%2fen%2flatest%2fadvanced.html%23switching%2dthe%2dkeyri
> ng%2dspki%2dhashes&umid=07C22091-DA2B-1A05-8189-
> 56774350CEC9&auth=162296ff492f363ddb29ca454338bb84627996db-
> ac0e575946bd47fec19217e57318402469ade90c

[Reyhaneh] Thanks for the hint.

Best regards,
Reyhaneh
> 
> Regards,
> Jan
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
_______________________________________________
RAUC mailing list