Page MenuHomeVyOS Platform
Create Task
Maniphest T3027

Unable to update system Signature check FAILED
Closed, ResolvedPublicBUG
Actions

Description

Unable to update system to the latest rolling

vyos@r2-roll:~$ add system image https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Trying to fetch ISO file from https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  309M  100  309M    0     0  6035k      0  0:00:52  0:00:52 --:--:-- 2199k
ISO download succeeded.
Checking SHA256 (256-bit) checksum...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0    189      0 --:--:-- --:--:-- --:--:--   189
Found it.  Verifying checksum...
sha256sum: vyos-1.3-rolling-202010280217-amd64.iso: No such file or directory
vyos-1.3-rolling-202010280217-amd64.iso: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read
Signature check FAILED.
Installation will not be performed.
Exiting...
vyos@r2-roll:~$

It happened after that commit https://github.com/vyos/vyatta-cfg-system/pull/131/commits/34b46ca2738fe6a9d15b0ee52deb3d3d5f76606e

Something wrong with that code https://github.com/vyos/vyatta-cfg-system/blob/current/scripts/install/install-image#L166-L182

Log from my previus update from 26 oct:

Maybe it expect "vyos-1.3-rolling-202010260327-amd64.iso" but get vyos-rolling-latest.iso

root@r4-roll:/home/vyos# sha256sum --check vyos-rolling-latest.iso.sha256 
sha256sum: vyos-1.3-rolling-202010260327-amd64.iso: No such file or directory
vyos-1.3-rolling-202010260327-amd64.iso: FAILED open or read
sha256sum: WARNING: 1 listed file could not be read
root@r4-roll:/home/vyos# 
root@r4-roll:/home/vyos# ls
1.txt  test.sh	vyos-rolling-latest.iso  vyos-rolling-latest.iso.sha256
root@r4-roll:/home/vyos# mv vyos-rolling-latest.iso vyos-1.3-rolling-202010260327-amd64.iso
root@r4-roll:/home/vyos# sha256sum --check vyos-rolling-latest.iso.sha256 
vyos-1.3-rolling-202010260327-amd64.iso: OK
root@r4-roll:/home/vyos#

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.3-rolling-202010210152
Why the issue appeared?
Design mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav changed the task status from Open to Confirmed.Oct 28 2020, 1:00 PM
Viacheslav triaged this task as High priority.
Viacheslav created this task.
phillipmcmahon added a subscriber: phillipmcmahon.Oct 28 2020, 1:51 PM
Viacheslav updated the task description. (Show Details)Oct 28 2020, 3:55 PM
c-po claimed this task.Oct 28 2020, 4:22 PM
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po added a comment.EditedOct 28 2020, 4:25 PM

The root cause for this is the sha256 checksum file itself. It contains the hash and the filename. When running sha256 --check during the upgrade it expects the "real" filename when calculating and verifying the hash. The real filename differs when using the vyos-rolling-latest.iso symlink on the webserver as it will tell the running VyOS installation a different filename and the validation fails. This is now fixed by not depending on the filename when verifying the has. We simply calculate the hash of the downloaded file and compare it to the hash we saved inside the checksum file and totally ignore the filename itself.

c-po closed this task as Resolved.Oct 28 2020, 4:28 PM
pasik added a subscriber: pasik.Oct 29 2020, 9:11 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 23 2020, 3:29 PM
erkin set Issue type to Bug (incorrect behavior).Aug 29 2021, 12:24 PM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Aug 29 2022, 12:27 PM
syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.