Checking digital signature failed on downgrade from rolling to stable.
Closed, WontfixPublicBUG
Actions

Assigned To

Authored By

	Unknown Object (User)
	Oct 19 2020, 10:01 AM

Description

When try to downgrade VyOS from the rolling version to stable, as an example to 1.2.6 we got a a confusing issue.

vyos@R2-QAT:~$ add system image https://cdn.vyos.io/1.2.6-S1/xxx/vyos-1.2.6-S1-amd64.iso
Trying to fetch ISO file from https://cdn.vyos.io/1.2.6-S1/xxx/vyos-1.2.6-S1-amd64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  409M  100  409M    0     0  10.4M      0  0:00:38  0:00:38 --:--:-- 10.0M
ISO download succeeded.
Checking for digital signature file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   833  100   833    0     0   2953      0 --:--:-- --:--:-- --:--:--  2943
Found it.  Checking digital signature...
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: keyblock resource '/etc/apt/trusted.gpg': No such file or directory
gpg: assuming signed data in '/var/tmp/install-image.12936/vyos-1.2.6-S1-amd64.iso'
gpg: Signature made Sun 27 Sep 2020 10:19:27 AM UTC
gpg:                using RSA key 0694A9230F5139BF834BA458FD220285A0FE6D7E
gpg: Can't check signature: No public key
Signature check FAILED.
Do you want to continue anyway? (yes/no) [no]

May be will suitable to add trusted.gpg to rolling to prevent this

Details

Version: 1.3-rolling-202010140146
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

Unknown Object (User) created this task.Oct 19 2020, 10:01 AM

pasik subscribed.Oct 19 2020, 11:39 AM

Not sure that it makes sense to downgrade the image from 1.3 to 1.2.
Because there are also no migration "downgrade" scripts.
I propose to add an additional check and disable downgrade images for "add system image".

Disable downgrades in general is a bad idea. We still can leave the user with a broken config on downgrade but prevent it is bad. Imagine a very simple config, that would be downgradable.

c-po triaged this task as High priority.Aug 28 2021, 7:20 AM

c-po added a project: test.

c-po set Issue type to Unspecified (please specify).

erkin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).Aug 29 2021, 12:32 PM

erkin removed a subscriber: Global Notifications.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed test, VyOS 1.3 Equuleus.Sep 5 2021, 7:06 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa1).Nov 1 2021, 10:09 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:40 PM

syncer closed this task as Wontfix.Jul 12 2023, 11:55 PM

syncer claimed this task.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM