* [RAUC] problems verifying a bundle
@ 2020-04-28 17:55 Diego González
2020-04-29 6:53 ` Jan Lübbe
0 siblings, 1 reply; 2+ messages in thread
From: Diego González @ 2020-04-28 17:55 UTC (permalink / raw)
To: rauc
[-- Attachment #1.1: Type: text/plain, Size: 1744 bytes --]
Hello,
I am having issues when I try to verify a bundle downloaded on the device.
I am using rauc 1.3 through the meta-rauc for Yocto.
I am running *rauc info [name of the bundle].raucb* on the device. The
output I get is the following:
rauc-Message: 17:24:54.156: Debug log domains: 'all'
(rauc:528): rauc-DEBUG: 17:24:54.165: input bundle:
/var/1/rauc-bundle-raspberrypi3-64.raucb
(rauc:528): rauc-DEBUG: 17:24:54.166: No value for key
"max-bundle-download-size" in [system] defined - using default value of
8388608 bytes.
(rauc:528): rauc-DEBUG: 17:24:54.166: No mount prefix provided, using
/mnt/rauc/ as default
rauc-Message: 17:24:54.167: Reading bundle:
/var/1/rauc-bundle-raspberrypi3-64.raucb
(rauc:528): GLib-GIO-DEBUG: 17:24:54.170: _g_io_module_get_default: Found
default implementation local (GLocalVfs) for ?gio-vfs?
rauc-Message: 17:24:54.173: Verifying bundle...
*signature verification failed: Verify error:unsupported certificate
purpose*
I don't really know how to get past this issue. I have included in a file
the root certificate, intermediate certificate and the certificate that
corresponds to they key used to sign the bundle. And I point to that file
with path=/etc/rauc/firmware-keyring.pem in the system.conf file.
previous to doing that I was getting:
[...]
*signature verification failed: Verify error:unable to get local issuer
certificate*
With regards to the environment variables this is what I am using:
RAUC_KEY_FILE="/h4-work/certs/rauc/firmware-key.pem"
RAUC_CERT_FILE="/h4-work/certs/rauc/firmware.pem"
RAUC_KEYRING_FILE="firmware-keyring.pem" (which is the file that I am using
on the device)
I don't really know how to get past this issue, any points would be highly
appreciated.
Cheers,
Diego
[-- Attachment #1.2: Type: text/html, Size: 2231 bytes --]
[-- Attachment #2: Type: text/plain, Size: 66 bytes --]
_______________________________________________
RAUC mailing list
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [RAUC] problems verifying a bundle
2020-04-28 17:55 [RAUC] problems verifying a bundle Diego González
@ 2020-04-29 6:53 ` Jan Lübbe
0 siblings, 0 replies; 2+ messages in thread
From: Jan Lübbe @ 2020-04-29 6:53 UTC (permalink / raw)
To: Diego González, rauc
Hi,
On Tue, 2020-04-28 at 19:55 +0200, Diego González wrote:
> Hello,
>
> I am having issues when I try to verify a bundle downloaded on the
> device. I am using rauc 1.3 through the meta-rauc for Yocto.
We added support for certificate key usage/purpose in 1.3. Is this a
regression compared to 1.2?
> I am running rauc info [name of the bundle].raucb on the device. The
> output I get is the following:
>
> rauc-Message: 17:24:54.156: Debug log domains: 'all'
> (rauc:528): rauc-DEBUG: 17:24:54.165: input bundle: /var/1/rauc-
> bundle-raspberrypi3-64.raucb
> (rauc:528): rauc-DEBUG: 17:24:54.166: No value for key "max-bundle-
> download-size" in [system] defined - using default value of 8388608
> bytes.
> (rauc:528): rauc-DEBUG: 17:24:54.166: No mount prefix provided, using
> /mnt/rauc/ as default
> rauc-Message: 17:24:54.167: Reading bundle: /var/1/rauc-bundle-
> raspberrypi3-64.raucb
> (rauc:528): GLib-GIO-DEBUG: 17:24:54.170: _g_io_module_get_default:
> Found default implementation local (GLocalVfs) for ?gio-vfs?
> rauc-Message: 17:24:54.173: Verifying bundle...
> signature verification failed: Verify error:unsupported certificate
> purpose
If you haven't specified check-purpose in your system.conf, I suspect
that you have keyUsage or extendedKeyUsage attributes in your
certificate chain. Could you upload the output of openssl x509 -in
<foo.pem> -text for all certificates somewhere so we can check that?
This looks similar to https://github.com/rauc/rauc/issues/568, but so
far we haven't found the underlying cause with the certificates in that
issue yet.
> I don't really know how to get past this issue. I have included in a
> file the root certificate, intermediate certificate and the
> certificate that corresponds to they key used to sign the bundle. And
> I point to that file with path=/etc/rauc/firmware-keyring.pem in the
> system.conf file.
>
> previous to doing that I was getting:
> [...]
> signature verification failed: Verify error:unable to get local
> issuer certificate
As you're using an intermediate certificate, that needs to be either
included in the keyring or included with the bundle signature:
https://rauc.readthedocs.io/en/latest/advanced.html#intermediate-certificates
> With regards to the environment variables this is what I am using:
>
> RAUC_KEY_FILE="/h4-work/certs/rauc/firmware-key.pem"
> RAUC_CERT_FILE="/h4-work/certs/rauc/firmware.pem"
> RAUC_KEYRING_FILE="firmware-keyring.pem" (which is the file that I am
> using on the device)
>
> I don't really know how to get past this issue, any points would be
> highly appreciated.
The variables look fine.
Regards,
Jan
_______________________________________________
RAUC mailing list
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-04-29 6:53 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-28 17:55 [RAUC] problems verifying a bundle Diego González
2020-04-29 6:53 ` Jan Lübbe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox