Error : Update signature has failed verification when trying a custom made update.tar
19 views
Skip to first unread message
Vaishali Dhakate
Mar 14, 2022, 3:24:00 AM3/14/22
to openxt
Dear openxt Team,
I have been working of Synchronizer to download to the openxt device a custom ota update.
These are the steps I followed from the OpenXT Developer Guide
mkdir WORK_DIR
cp netExtenderClient/openxt-installer.iso WORK_DIR/
cd WORK_DIR/
sudo losetup /dev/loop13 openxt-installer.iso
mkdir ../mnt
sudo mount /dev/loop13 ../mnt
cp -r ../mnt/packages.main/ ./
mkdir packages.main.custom
mkdir bin
mkdir crypto
export WORK_DIR=/home/s/WORK_DIR/
openssl genrsa -out ${WORK_DIR}/crypto/priv.key
openssl req -new -x509 -key ${WORK_DIR}/crypto/priv.key -out ${WORK_DIR}/crypto/cacert.pem -days 1095
cp packages.main/dom0-rootfs.ext3.gz packages.main.custom/
gunzip ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3.gz
mkdir mnt
sudo mount -o loop ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3 ${WORK_DIR}/mnt
sudo cp ${WORK_DIR}/crypto/cacert.pem ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
pushd ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
sudo ln -s cacert.pem $(openssl x509 -noout -hash -in cacert.pem).0
popd
gzip ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3
ls
cp -r ../Downloads/sdk-master/Custom_OTA_Update/ bin/
export PATH=${PATH}:${WORK_DIR}/bin
gen-packages.sh -s packages.main -d packages.main.custom/ -o packages.main.custom/XC-PACKAGES
gen-repository.sh -s packages.main -d packages.main.custom/ -o packages.main.custom/XC-REPOSITORY
gen-signature.sh -s crypto/ -d packages.main.custom -r packages.main.custom/XC-REPOSITORY -c crypto/cacert.pem -k crypto/priv.key -o packages.main.custom/XC-SIGNATURE
mv packages.main.custom/ packages.main
tar -cvf update.tar packages.main/
cp netExtenderClient/openxt-installer.iso WORK_DIR/
cd WORK_DIR/
sudo losetup /dev/loop13 openxt-installer.iso
mkdir ../mnt
sudo mount /dev/loop13 ../mnt
cp -r ../mnt/packages.main/ ./
mkdir packages.main.custom
mkdir bin
mkdir crypto
export WORK_DIR=/home/s/WORK_DIR/
openssl genrsa -out ${WORK_DIR}/crypto/priv.key
openssl req -new -x509 -key ${WORK_DIR}/crypto/priv.key -out ${WORK_DIR}/crypto/cacert.pem -days 1095
cp packages.main/dom0-rootfs.ext3.gz packages.main.custom/
gunzip ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3.gz
mkdir mnt
sudo mount -o loop ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3 ${WORK_DIR}/mnt
sudo cp ${WORK_DIR}/crypto/cacert.pem ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
pushd ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
sudo ln -s cacert.pem $(openssl x509 -noout -hash -in cacert.pem).0
popd
gzip ${WORK_DIR}/packages.main.custom/dom0-rootfs.ext3
ls
cp -r ../Downloads/sdk-master/Custom_OTA_Update/ bin/
export PATH=${PATH}:${WORK_DIR}/bin
gen-packages.sh -s packages.main -d packages.main.custom/ -o packages.main.custom/XC-PACKAGES
gen-repository.sh -s packages.main -d packages.main.custom/ -o packages.main.custom/XC-REPOSITORY
gen-signature.sh -s crypto/ -d packages.main.custom -r packages.main.custom/XC-REPOSITORY -c crypto/cacert.pem -k crypto/priv.key -o packages.main.custom/XC-SIGNATURE
mv packages.main.custom/ packages.main
tar -cvf update.tar packages.main/
While in the gen-signature.sh file I can see that the below command is being used.
openssl smime -sign \
-aes256 \
-binary \
-in "${REPO}" \
-out "${OFILE}" \
-outform PEM \
-signer "${CERT}" \
-inkey "${KEY}"
-aes256 \
-binary \
-in "${REPO}" \
-out "${OFILE}" \
-outform PEM \
-signer "${CERT}" \
-inkey "${KEY}"
Could there be any issue with the signature creation .
Mar 14 05:24:23.433868 dbd: [info|dbd] Updating database
Mar 14 05:24:23.447958 dbd: [info|dbd] rm :1.21 /updatemgr/update-stateMar 14 05:24:23.449115 updatemgr: in applyUpdateFromTarball
Mar 14 05:24:23.454440 updatemgr: in stage: NoUpdate
Mar 14 05:24:23.455463 updatemgr: and in the right stage
Mar 14 05:24:23.455773 dbd: [info|dbd] write :1.21 /updatemgr/update-state applying
Mar 14 05:24:23.468649 updatemgr: request to unpack "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
Mar 14 05:24:26.505242 dbd: [info|dbd] Updating database
Mar 14 05:24:26.540259 updatemgr:
Mar 14 05:24:26.540283 updatemgr: unpacked "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
Mar 14 05:24:26.540295 updatemgr: unpacked tarball to updateDirUntarTemp.
Mar 14 05:24:27.199336 updatemgr: Verification failure
Mar 14 05:24:27.199356 updatemgr: 140338294215232:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../openssl-1.1.1l/crypto/pkcs7/pk7_smime.c:284:Verify error:self signed certificate
Mar 14 05:24:27.204936 updatemgr: verify-repo-metadata: signature NOT VALID
Mar 14 05:24:27.205154 updatemgr: Failed to apply update from tarball - 314:failed signature verification
Mar 14 05:24:27.205440 dbd: [info|dbd] write :1.21 /updatemgr/update-fail-reason 314:failed signature verification
Mar 14 05:24:27.205996 dbd: [info|dbd] write :1.21 /updatemgr/update-state failed
Mar 14 05:24:28.113045 uid: [info|uid] UI: Update signature has failed verification [25]
Mar 14 05:24:29.803342 dbd: [info|dbd] Updating database
Mar 14 05:24:53.266799 VM uivm (3): Memory pressure relief: Total: res = 97234944/89321472/-7913472, res+swap = 95547392/95547392/0
Mar 14 05:25:23.276304 VM uivm (3): Memory pressure relief: Total: res = 89604096/89759744/155648, res+swap = 87855104/87855104/0
Mar 14 05:25:53.285808 VM uivm (3): Memory pressure relief: Total: res = 90247168/90349568/102400, res+swap = 88457216/88457216/0
Mar 14 05:26:23.295527 VM uivm (3): Memory pressure relief: Total: res = 90624000/90771456/147456, res+swap = 88772608/88772608/0
Mar 14 05:26:53.305832 VM uivm (3): Memory pressure relief: Total: res = 91148288/91271168/122880, res+swap = 89382912/89382912/0
Mar 14 05:27:23.316114 VM uivm (3): Memory pressure relief: Total: res = 91451392/91537408/86016, res+swap = 89624576/89624576/0
Thanks and grateful for the help.
Regards
Vaishali.
Jason Andryuk
Mar 14, 2022, 12:39:07 PM3/14/22
to Vaishali Dhakate, openxt
Hi, Vaishali
On Mon, Mar 14, 2022 at 3:24 AM Vaishali Dhakate
<vaishali...@networkmarvels.com> wrote:
> openssl genrsa -out ${WORK_DIR}/crypto/priv.key
> openssl req -new -x509 -key ${WORK_DIR}/crypto/priv.key -out ${WORK_DIR}/crypto/cacert.pem -days 1095
Here you are creating a new cacert and private key.
> sudo cp ${WORK_DIR}/crypto/cacert.pem ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
You installed the cert in the dom0 image.
> gen-signature.sh -s crypto/ -d packages.main.custom -r packages.main.custom/XC-REPOSITORY -c crypto/cacert.pem -k crypto/priv.key -o packages.main.custom/XC-SIGNATURE
You re-sign the OTA package.
> Mar 14 05:24:23.433868 dbd: [info|dbd] Updating database
> Mar 14 05:24:23.447958 dbd: [info|dbd] rm :1.21 /updatemgr/update-state
> Mar 14 05:24:23.449115 updatemgr: in applyUpdateFromTarball
> Mar 14 05:24:23.454440 updatemgr: in stage: NoUpdate
> Mar 14 05:24:23.455463 updatemgr: and in the right stage
> Mar 14 05:24:23.455773 dbd: [info|dbd] write :1.21 /updatemgr/update-state applying
> Mar 14 05:24:23.468649 updatemgr: request to unpack "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
> Mar 14 05:24:26.505242 dbd: [info|dbd] Updating database
> Mar 14 05:24:26.540259 updatemgr:
> Mar 14 05:24:26.540283 updatemgr: unpacked "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
> Mar 14 05:24:26.540295 updatemgr: unpacked tarball to updateDirUntarTemp.
> Mar 14 05:24:27.199336 updatemgr: Verification failure
> Mar 14 05:24:27.199356 updatemgr: 140338294215232:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../openssl-1.1.1l/crypto/pkcs7/pk7_smime.c:284:Verify error:self signed certificate
> Mar 14 05:24:27.204936 updatemgr: verify-repo-metadata: signature NOT VALID
> Mar 14 05:24:27.205154 updatemgr: Failed to apply update from tarball - 314:failed signature verification
Here you have a running system with
/usr/share/xenclient/repo-certs/prod/cacert.pem. When you generated
and signed your update.tar, you created a new, different
prod/cacert.pem and used that to sign update.tar. So the running
system cacert.pem is used to check the signature in update.tar, which
will fail.
You can replace the running system cacert.pem with the newly generated
one. Or you can sign the update.tar with the key used on your build
host. Note that you may only have the dev cacert.pem installed on
your running system, so you need to set /config/repo-cert.conf
ALLOW_DEV_REPO_CERT='true'
Regards,
Jason
On Mon, Mar 14, 2022 at 3:24 AM Vaishali Dhakate
<vaishali...@networkmarvels.com> wrote:
> openssl genrsa -out ${WORK_DIR}/crypto/priv.key
> openssl req -new -x509 -key ${WORK_DIR}/crypto/priv.key -out ${WORK_DIR}/crypto/cacert.pem -days 1095
> sudo cp ${WORK_DIR}/crypto/cacert.pem ${WORK_DIR}/mnt/usr/share/xenclient/repo-certs/prod
> gen-signature.sh -s crypto/ -d packages.main.custom -r packages.main.custom/XC-REPOSITORY -c crypto/cacert.pem -k crypto/priv.key -o packages.main.custom/XC-SIGNATURE
> Mar 14 05:24:23.433868 dbd: [info|dbd] Updating database
> Mar 14 05:24:23.447958 dbd: [info|dbd] rm :1.21 /updatemgr/update-state
> Mar 14 05:24:23.449115 updatemgr: in applyUpdateFromTarball
> Mar 14 05:24:23.454440 updatemgr: in stage: NoUpdate
> Mar 14 05:24:23.455463 updatemgr: and in the right stage
> Mar 14 05:24:23.455773 dbd: [info|dbd] write :1.21 /updatemgr/update-state applying
> Mar 14 05:24:23.468649 updatemgr: request to unpack "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
> Mar 14 05:24:26.505242 dbd: [info|dbd] Updating database
> Mar 14 05:24:26.540259 updatemgr:
> Mar 14 05:24:26.540283 updatemgr: unpacked "/storage/update-staging/4c720679-9b0f-4c65-b6cc-ee8d6f6a08bf.tar" to "/storage/update/untarTemp"
> Mar 14 05:24:26.540295 updatemgr: unpacked tarball to updateDirUntarTemp.
> Mar 14 05:24:27.199336 updatemgr: Verification failure
> Mar 14 05:24:27.199356 updatemgr: 140338294215232:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:../openssl-1.1.1l/crypto/pkcs7/pk7_smime.c:284:Verify error:self signed certificate
> Mar 14 05:24:27.204936 updatemgr: verify-repo-metadata: signature NOT VALID
> Mar 14 05:24:27.205154 updatemgr: Failed to apply update from tarball - 314:failed signature verification
/usr/share/xenclient/repo-certs/prod/cacert.pem. When you generated
and signed your update.tar, you created a new, different
prod/cacert.pem and used that to sign update.tar. So the running
system cacert.pem is used to check the signature in update.tar, which
will fail.
You can replace the running system cacert.pem with the newly generated
one. Or you can sign the update.tar with the key used on your build
host. Note that you may only have the dev cacert.pem installed on
your running system, so you need to set /config/repo-cert.conf
ALLOW_DEV_REPO_CERT='true'
Regards,
Jason
Reply all
Reply to author
Forward
0 new messages