mail archive of the rauc mailing list
 help / color / mirror / Atom feed
* [RAUC] problems verifying a bundle
@ 2020-04-28 17:55 Diego González
  2020-04-29  6:53 ` Jan Lübbe
  0 siblings, 1 reply; 2+ messages in thread
From: Diego González @ 2020-04-28 17:55 UTC (permalink / raw)
  To: rauc


[-- Attachment #1.1: Type: text/plain, Size: 1744 bytes --]

Hello,

I am having issues when I try to verify a bundle downloaded on the device.
I am using rauc 1.3 through the meta-rauc for Yocto.

I am running *rauc info [name of the bundle].raucb* on the device. The
output I get is the following:

rauc-Message: 17:24:54.156: Debug log domains: 'all'
(rauc:528): rauc-DEBUG: 17:24:54.165: input bundle:
/var/1/rauc-bundle-raspberrypi3-64.raucb
(rauc:528): rauc-DEBUG: 17:24:54.166: No value for key
"max-bundle-download-size" in [system] defined - using default value of
8388608 bytes.
(rauc:528): rauc-DEBUG: 17:24:54.166: No mount prefix provided, using
/mnt/rauc/ as default
rauc-Message: 17:24:54.167: Reading bundle:
/var/1/rauc-bundle-raspberrypi3-64.raucb
(rauc:528): GLib-GIO-DEBUG: 17:24:54.170: _g_io_module_get_default: Found
default implementation local (GLocalVfs) for ?gio-vfs?
rauc-Message: 17:24:54.173: Verifying bundle...
*signature verification failed: Verify error:unsupported certificate
purpose*

I don't really know how to get past this issue. I have included in a file
the root certificate, intermediate certificate and the certificate that
corresponds to they key used to sign the bundle. And I point to that file
with path=/etc/rauc/firmware-keyring.pem in the system.conf file.

previous to doing that I was getting:
[...]
*signature verification failed: Verify error:unable to get local issuer
certificate*

With regards to the environment variables this is what I am using:

RAUC_KEY_FILE="/h4-work/certs/rauc/firmware-key.pem"
RAUC_CERT_FILE="/h4-work/certs/rauc/firmware.pem"
RAUC_KEYRING_FILE="firmware-keyring.pem" (which is the file that I am using
on the device)

I don't really know how to get past this issue, any points would be highly
appreciated.

Cheers,
Diego

[-- Attachment #1.2: Type: text/html, Size: 2231 bytes --]

[-- Attachment #2: Type: text/plain, Size: 66 bytes --]

_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [RAUC] problems verifying a bundle
  2020-04-28 17:55 [RAUC] problems verifying a bundle Diego González
@ 2020-04-29  6:53 ` Jan Lübbe
  0 siblings, 0 replies; 2+ messages in thread
From: Jan Lübbe @ 2020-04-29  6:53 UTC (permalink / raw)
  To: Diego González, rauc

Hi,

On Tue, 2020-04-28 at 19:55 +0200, Diego González wrote:
> Hello,
> 
> I am having issues when I try to verify a bundle downloaded on the
> device. I am using rauc 1.3 through the meta-rauc for Yocto. 

We added support for certificate key usage/purpose in 1.3. Is this a
regression compared to 1.2?

> I am running rauc info [name of the bundle].raucb on the device. The
> output I get is the following:
> 
> rauc-Message: 17:24:54.156: Debug log domains: 'all'
> (rauc:528): rauc-DEBUG: 17:24:54.165: input bundle: /var/1/rauc-
> bundle-raspberrypi3-64.raucb
> (rauc:528): rauc-DEBUG: 17:24:54.166: No value for key "max-bundle-
> download-size" in [system] defined - using default value of 8388608
> bytes.
> (rauc:528): rauc-DEBUG: 17:24:54.166: No mount prefix provided, using
> /mnt/rauc/ as default
> rauc-Message: 17:24:54.167: Reading bundle: /var/1/rauc-bundle-
> raspberrypi3-64.raucb
> (rauc:528): GLib-GIO-DEBUG: 17:24:54.170: _g_io_module_get_default:
> Found default implementation local (GLocalVfs) for ?gio-vfs?
> rauc-Message: 17:24:54.173: Verifying bundle... 
> signature verification failed: Verify error:unsupported certificate
> purpose

If you haven't specified check-purpose in your system.conf, I suspect
that you have keyUsage or extendedKeyUsage attributes in your
certificate chain. Could you upload the output of openssl x509 -in
<foo.pem> -text for all certificates somewhere so we can check that?

This looks similar to https://github.com/rauc/rauc/issues/568, but so
far we haven't found the underlying cause with the certificates in that
issue yet.

> I don't really know how to get past this issue. I have included in a
> file the root certificate, intermediate certificate and the
> certificate that corresponds to they key used to sign the bundle. And
> I point to that file with path=/etc/rauc/firmware-keyring.pem in the
> system.conf file.
> 
> previous to doing that I was getting:
> [...]
> signature verification failed: Verify error:unable to get local
> issuer certificate

As you're using an intermediate certificate, that needs to be either
included in the keyring or included with the bundle signature:
https://rauc.readthedocs.io/en/latest/advanced.html#intermediate-certificates

> With regards to the environment variables this is what I am using:
> 
> RAUC_KEY_FILE="/h4-work/certs/rauc/firmware-key.pem"
> RAUC_CERT_FILE="/h4-work/certs/rauc/firmware.pem"
> RAUC_KEYRING_FILE="firmware-keyring.pem" (which is the file that I am
> using on the device)
> 
> I don't really know how to get past this issue, any points would be
> highly appreciated.

The variables look fine.

Regards,
Jan



_______________________________________________
RAUC mailing list

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-04-29  6:53 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-28 17:55 [RAUC] problems verifying a bundle Diego González
2020-04-29  6:53 ` Jan Lübbe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox