Flatcar update failing with public key verification failure
25 views
Skip to first unread message
anand kumar
Aug 16, 2022, 1:06:54 AM8/16/22
to Flatcar Container Linux User
Hello folks,
We had set up an on-prem Flatcar update server (Nebraska) to manage updates on our cluster.
Only recently, when we tried to update the flatcar OS version in our cluster, the update engine on the machines would throw: `Public key verification failed, thus update failed. Attached Signature:...` after downloading the payload. The full logs can be found here.
We are trying to update to "2983.2.1 (AMD64)" in case you need the info (not sure that even matters). The public key is present at `/usr/share/update_engine/update-payload-key.pub.pem` on the machines just fine.
Any suggestions on what we should try to get out of this would be highly appreciated.
Thanks
Kai Lüke
Aug 16, 2022, 4:39:34 AM8/16/22
to anand kumar, Flatcar Container Linux User
Hello,
the pub key embedded in official Flatcar releases matches the official
update payloads, as soon as you build an own Flatcar image, there will
just be the dev key embedded and the official update payloads are
rejected unless forced.
Vice versa, if you want to update to your own signed payload, it would
also be rejected unless the pub key is provided in the image.
To update from a own-built Flatcar image, you can force the update
once by running "flatcar-update --force-flatcar-key -V VERSION" which
will bind-mount the official pub key inside the image and download an
official release update payload from the web server.
(If your Nebraska serves the official update payload and you want to
use this, you can do only the bind mount manually, see e.g., how the
"update-to-flatcar.sh" script does it in
https://www.flatcar.org/docs/latest/migrating-from-coreos/update-from-container-linux/)
Regards,
Kai
> --
> You received this message because you are subscribed to the Google Groups "Flatcar Container Linux User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flatcar-linux-u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/flatcar-linux-user/c3d98867-f2d2-4bd0-b4fe-dc904157ad2cn%40googlegroups.com.
--
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364
Geschäftsführer/Directors: Benjamin Owen Orndorff
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000
the pub key embedded in official Flatcar releases matches the official
update payloads, as soon as you build an own Flatcar image, there will
just be the dev key embedded and the official update payloads are
rejected unless forced.
Vice versa, if you want to update to your own signed payload, it would
also be rejected unless the pub key is provided in the image.
To update from a own-built Flatcar image, you can force the update
once by running "flatcar-update --force-flatcar-key -V VERSION" which
will bind-mount the official pub key inside the image and download an
official release update payload from the web server.
(If your Nebraska serves the official update payload and you want to
use this, you can do only the bind mount manually, see e.g., how the
"update-to-flatcar.sh" script does it in
https://www.flatcar.org/docs/latest/migrating-from-coreos/update-from-container-linux/)
Regards,
Kai
> You received this message because you are subscribed to the Google Groups "Flatcar Container Linux User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to flatcar-linux-u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/flatcar-linux-user/c3d98867-f2d2-4bd0-b4fe-dc904157ad2cn%40googlegroups.com.
--
Kinvolk GmbH | Adalbertstr.6a, 10999 Berlin | tel: +491755589364
Geschäftsführer/Directors: Benjamin Owen Orndorff
Registergericht/Court of registration: Amtsgericht Charlottenburg
Registernummer/Registration number: HRB 171414 B
Ust-ID-Nummer/VAT ID number: DE302207000
Reply all
Reply to author
Forward
0 new messages