Hi, On Tue, 2020-04-28 at 19:55 +0200, Diego González wrote: > Hello, > > I am having issues when I try to verify a bundle downloaded on the > device. I am using rauc 1.3 through the meta-rauc for Yocto.
We added support for certificate key usage/purpose in 1.3. Is this a regression compared to 1.2? > I am running rauc info [name of the bundle].raucb on the device. The > output I get is the following: > > rauc-Message: 17:24:54.156: Debug log domains: 'all' > (rauc:528): rauc-DEBUG: 17:24:54.165: input bundle: /var/1/rauc- > bundle-raspberrypi3-64.raucb > (rauc:528): rauc-DEBUG: 17:24:54.166: No value for key "max-bundle- > download-size" in [system] defined - using default value of 8388608 > bytes. > (rauc:528): rauc-DEBUG: 17:24:54.166: No mount prefix provided, using > /mnt/rauc/ as default > rauc-Message: 17:24:54.167: Reading bundle: /var/1/rauc-bundle- > raspberrypi3-64.raucb > (rauc:528): GLib-GIO-DEBUG: 17:24:54.170: _g_io_module_get_default: > Found default implementation local (GLocalVfs) for ?gio-vfs? > rauc-Message: 17:24:54.173: Verifying bundle... > signature verification failed: Verify error:unsupported certificate > purpose If you haven't specified check-purpose in your system.conf, I suspect that you have keyUsage or extendedKeyUsage attributes in your certificate chain. Could you upload the output of openssl x509 -in <foo.pem> -text for all certificates somewhere so we can check that? This looks similar to https://github.com/rauc/rauc/issues/568, but so far we haven't found the underlying cause with the certificates in that issue yet. > I don't really know how to get past this issue. I have included in a > file the root certificate, intermediate certificate and the > certificate that corresponds to they key used to sign the bundle. And > I point to that file with path=/etc/rauc/firmware-keyring.pem in the > system.conf file. > > previous to doing that I was getting: > [...] > signature verification failed: Verify error:unable to get local > issuer certificate As you're using an intermediate certificate, that needs to be either included in the keyring or included with the bundle signature: https://rauc.readthedocs.io/en/latest/advanced.html#intermediate-certificates > With regards to the environment variables this is what I am using: > > RAUC_KEY_FILE="/h4-work/certs/rauc/firmware-key.pem" > RAUC_CERT_FILE="/h4-work/certs/rauc/firmware.pem" > RAUC_KEYRING_FILE="firmware-keyring.pem" (which is the file that I am > using on the device) > > I don't really know how to get past this issue, any points would be > highly appreciated. The variables look fine. Regards, Jan _______________________________________________ RAUC mailing list