System update failed

Hi! I'm getting the following error when trying to update using the Software Update. ── 21:03:45 - System update ──────────────────────────────────────────────────── Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia:stable error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature System update failed: 0: Command failed: /usr/bin/rpm-ostree upgrade 1: /usr/bin/rpm-ostree failed: exit status: 1 Location: src/steps/os/linux.rs:273
Solution:
sudo sed -iE 's/ublue-os"/_keylost"/g' /etc/containers/policy.json
Jump to solution
47 Replies
antheas
antheas6mo ago
nice
WilfordGrimley
WilfordGrimley6mo ago
I am getting the same on bazzite-deck stable on my OLED machine. It happens when trying to update or rebase.
antheas
antheas6mo ago
@Robert (p5) @EyeCantCU @bsherman did it start yet?
WilfordGrimley
WilfordGrimley6mo ago
Output of rpm-ostree status
No description
bsherman
bsherman6mo ago
what is your question?
antheas
antheas6mo ago
look at the help thread
EyeCantCU
EyeCantCU6mo ago
It's a global secret. All images built will have been signed with the new key
antheas
antheas6mo ago
since when the key was rotated 1 hour ago no?
EyeCantCU
EyeCantCU6mo ago
I don't know when exactly the secret was updated or when all images were last built
antheas
antheas6mo ago
8 hours ago bazzite
bsherman
bsherman6mo ago
secret update July 2, 8:59 AM CDT
EyeCantCU
EyeCantCU6mo ago
I think we should just document the rebase process
bsherman
bsherman6mo ago
lets go to the other thread for that discussion plz 🙂
WilfordGrimley
WilfordGrimley6mo ago
Can I have a link to that thread to help me understand please?
antheas
antheas6mo ago
big oupsie no key shouldnt have affected stuff yet new* key Chillax guys I'll get you your curl script
noobeta
noobeta6mo ago
Eeer, right now I also encounter this error when trying to update.
Solution
antheas
antheas6mo ago
sudo sed -iE 's/ublue-os"/_keylost"/g' /etc/containers/policy.json
antheas
antheas6mo ago
there you go guys enjoy
FardinHaque
FardinHaqueOP6mo ago
That seems to have fixed it! Thanks @antheas
antheas
antheas6mo ago
to anyone seeing this in the future this will disable image signing by a key so you should update to the new one after updating ill post the instructions soon mind the fact the old bazzite update catalog will become inaccessible after that
p5
p56mo ago
Will that command edit the policy.json file? rpm-ostree doesn't use podman under the hood
antheas
antheas6mo ago
yes one sec we need the one that fixes the key and i need to try it
FardinHaque
FardinHaqueOP6mo ago
Is there something else i have to do after using the fix you provided? I am super new to linux so will wait for your instructions. Right now after running the command it is updating again normally.
antheas
antheas6mo ago
relax play some games and come in this thread tomorrow
FardinHaque
FardinHaqueOP6mo ago
thanks will do lol 🫡
antheas
antheas6mo ago
sudo podman image trust set --type accept ghcr.io/ublue-os for now only this command works which disables verification working on a command that does both
Decay
Decay6mo ago
@antheas what’s the steps to get the new key? Or is this handled by updating?
antheas
antheas6mo ago
we will try to make it work after updating seamlessly however, even if i give you the key now i cant get it to work so new key is not working, the command above will in any case
Decay
Decay6mo ago
Great I will sit tight then 🙂
WilfordGrimley
WilfordGrimley6mo ago
@antheas Are
sudo sed -iE 's/ublue-os"/_keylost"/g' /etc/containers/policy.json
sudo sed -iE 's/ublue-os"/_keylost"/g' /etc/containers/policy.json
still the recommend solutions? Will solving temporarily this way have any conflict with the script/solution being built in the other thread?
antheas
antheas6mo ago
let me remove the second one and leave the first one for the lols remove it as well for bazzite users that want to use older versions, the current solution is sudo podman image trust set --type accept ghcr.io/ublue-os we are working on a script that will secure future bazzite versions and we will try to sign older bazzite builds so you can roll back but at this point, the only clean solution is disabling signature verification theres currently no future bazzite version, so unless you disable signature verification you cant update
WilfordGrimley
WilfordGrimley6mo ago
Is that temp solution compatible with the future script if I just want to move forward with updated in :stable? The timing of this is so sad, because I wanted to pin the last working build with nvidia 550 for my desktop rig.
antheas
antheas6mo ago
right now no you can always edit the file by hand in the future it seems that sudo podman image trust set --type sigstoreSigned is not doing the full config replacement so it doesnt work correctly? it needs more testing that will happen tomorrow in any case, ill make sure theres a script that can migrate anyone that disables signature verification
p5
p56mo ago
We are also going to be looking into re-signing select older images so they can be rebased to after the fixes have been applied. This has not yet been implemented, but is planned
antheas
antheas6mo ago
also worth mentioning TLS encryption still protects your bazzite updates, even without signature verification so it is perfectly safe temporarily long term we would like to get that back though
WilfordGrimley
WilfordGrimley6mo ago
Really appreciate all of you devs crunching today to try to find solutions for this.
psirix
psirix6mo ago
amen to that... was excited to hear about the release and appreciate having this thread to get on the upgrade train!
WilfordGrimley
WilfordGrimley6mo ago
@antheas Is there anything I should do to undo sudo podman image trust set --type accept ghcr.io/ublue-os ? before or after running the bash script? this is the output of my podman image trust show --raw https://paste.centos.org/view/8bc1b1b1
wolfyreload
wolfyreload6mo ago
The script edits /etc/containers/policy.json This is the relevant part in your file
"ghcr.io/ublue-os": [
{
"type": "insecureAcceptAnything"
}
],
"ghcr.io/ublue-os": [
{
"type": "insecureAcceptAnything"
}
],
This is what it looks like in mine

"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],

"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
You'll need to set it to this before you run the fix in announcements
antheas
antheas6mo ago
Or just edit it to remove user from the key and download the new key But that's it that's the change not much to it If any of you want I can turn that into a command !!! Important: for anyone that ran any of the commands in this thread, you need to restore your policy before using the fix in the announcement: sudo cp /usr/etc/containers/policy.json /etc/containers/policy.json then after running the fix in the announcement, verify the policy is applied and says sigstoreSigned sudo podman image trust show | grep ghcr this will overwrite your policy file, so if you do container stuff and have a custom policy, edit the file manually
Decay
Decay6mo ago
Will reinstalling also fix this with the newest image?
antheas
antheas6mo ago
Why reinstall Yes clean installations from when the next ISOs come out will not have an issue Maybe they already came out
TheDarkSideOfCookies
@antheas Is ok in this way?
No description
Kyle Gospo
Kyle Gospo6mo ago
If you haven't followed any of the stuff in this thread yet, do what's in #announcements instead
antheas
antheas6mo ago
Yes Announcement won't work if they followed this thread
Dwarrelpoot
Dwarrelpoot6mo ago
I used the commands from this thread on my oled deck and got the same results as @TheDarkSideOfCookies without changing anything. Took a look at my policy.json and everything was ready to go. Can’t really say how that happened but I’m happy nonetheless!
Want results from more Discord servers?
Add your server