I built my own image and set up signing in the toolchain. It gives me signed images, and that’s awesome!
What’s not awesome is what happened when I added an image that I signed on top of one that still had VyOS keys in it, which is that it ultimately said Digital signature is valid. and didn’t prompt me to confirm. Full install transcript below:
vyos@vyos:/config/user-data/vyos-config$ a s i https://github.com/b-/vyos-build-action/releases/download/v1.4-rolling_bri_add-ssh_config-202301051411/vyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso Trying to fetch ISO file from https://github.com/b-/vyos-build-action/releases/download/v1.4-rolling_bri_add-ssh_config-202301051411/vyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso... Downloading... Redirecting to https://objects.githubusercontent.com/github-production-release-asset-2e65be/583816895/263dcd4d-1c17-4368-8761-60a4e9396438?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230105T142523Z&X-Amz-Expires=300&X-Amz-Signature=71a4149143f59fe8aae6e050b41947efc4e395741b614e56b4de5b9146147b61&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=583816895&response-content-disposition=attachment%3B%20filename%3Dvyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso&response-content-type=application%2Foctet-stream The file is 460.000 MiB. [##############################################] 100% Download complete. Done. Checking for digital signature file... Downloading... Redirecting to https://objects.githubusercontent.com/github-production-release-asset-2e65be/583816895/a30e5933-50ec-4394-8a36-f0628001e8b5?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230105%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230105T142533Z&X-Amz-Expires=300&X-Amz-Signature=e08bd259ad9685f140efbad93df4f58701e4ab4becc2b652a79f6d33efb4d3dd&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=583816895&response-content-disposition=attachment%3B%20filename%3Dvyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso.minisig&response-content-type=application%2Foctet-stream The file is 0.339 KiB. [##############################################] 100% Download complete. Checking digital signature... Signature key id in /var/tmp/install-image.3178/vyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso.minisig is 92C16282E3ED6C but the key id in the public key is 9EA8ECDCBDDCD6D1 Signature check FAILED, trying BACKUP key... Signature key id in /var/tmp/install-image.3178/vyos-1.4-rolling_bri_add-ssh_config-latest-amd64.iso.minisig is 92C16282E3ED6C but the key id in the public key is 69C20BE1367AEBB0 Digital signature is valid. Checking SHA256 checksums of files on the ISO image... OK. Done! What would you like to name this image? [1.4-rolling_bri_add-ssh_config-202301051411]: