For quite a long time i ignored the failed signature check when VyOS update bei 'add system image'. It's still not possible in current rolling release.
Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201805210337-amd64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 351M 100 351M 0 0 37.2M 0 0:00:09 0:00:09 --:--:-- 43.5M ISO download succeeded. Checking for digital signature file... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (22) The requested URL returned error: 404 Not Found Unable to fetch digital signature file. Do you want to continue without signature check? (yes/no) [yes]
What's the current situation about signature files?
Hi @Line2 actually this is some sort of intended. VyOS releases are signed manually with a GPG key, I guess from @dmbaturin. Making it "auto-sign" would require to store the key and make it available automatically. THis is in general abad idea to store your GPG private key and use it automatically in any sort of process. If the system is compromised and the Key is active, anyone can sign code.