Page MenuHomePhabricator

add system image: failed signature check
Closed, ResolvedPublic

Asked by Line2 on May 21 2018, 9:06 AM.

Details

Hi
For quite a long time i ignored the failed signature check when VyOS update bei 'add system image'. It's still not possible in current rolling release.

Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-1.2.0-rolling%2B201805210337-amd64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  351M  100  351M    0     0  37.2M      0  0:00:09  0:00:09 --:--:-- 43.5M
ISO download succeeded.
Checking for digital signature file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (22) The requested URL returned error: 404 Not Found
Unable to fetch digital signature file.
Do you want to continue without signature check? (yes/no) [yes]

What's the current situation about signature files?

Answers

c-po
Updated 548 Days Ago

Hi @Line2 actually this is some sort of intended. VyOS releases are signed manually with a GPG key, I guess from @dmbaturin. Making it "auto-sign" would require to store the key and make it available automatically. THis is in general abad idea to store your GPG private key and use it automatically in any sort of process. If the system is compromised and the Key is active, anyone can sign code.

Line2
Updated 548 Days Ago

Hi @c-po. That sounds logical. Only sign the official release not the rolling nightlies. Thnaks for the info

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.