System update failed
Hi!
I'm getting the following error when trying to update using the Software Update.
── 21:03:45 - System update ────────────────────────────────────────────────────
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-nvidia:stable
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
System update failed:
0: Command failed:
/usr/bin/rpm-ostree upgrade
1: /usr/bin/rpm-ostree failed: exit status: 1
Location:
src/steps/os/linux.rs:27347 Replies
nice
I am getting the same on bazzite-deck stable on my OLED machine.
It happens when trying to update or rebase.
@Robert (p5) @EyeCantCU @bsherman did it start yet?
Output of rpm-ostree status
what is your question?
look at the help thread
It's a global secret. All images built will have been signed with the new key
since when
the key was rotated 1 hour ago no?
I don't know when exactly the secret was updated or when all images were last built
8 hours ago bazzite
secret update July 2, 8:59 AM CDT
I think we should just document the rebase process
lets go to the other thread for that discussion plz 🙂
Can I have a link to that thread to help me understand please?
big oupsie no key shouldnt have affected stuff yet
new* key
Chillax guys I'll get you your curl script
Eeer, right now I also encounter this error when trying to update.
Solution
sudo sed -iE 's/ublue-os"/_keylost"/g' /etc/containers/policy.jsonthere you go guys
enjoy
That seems to have fixed it! Thanks @antheas
to anyone seeing this in the future
this will disable image signing by a key
so you should update to the new one after updating
ill post the instructions soon
mind the fact the old bazzite update catalog will become inaccessible after that
Will that command edit the policy.json file? rpm-ostree doesn't use podman under the hood
yes
one sec
we need the one that fixes the key
and i need to try it
Is there something else i have to do after using the fix you provided? I am super new to linux so will wait for your instructions. Right now after running the command it is updating again normally.
relax play some games and come in this thread tomorrow
thanks will do lol 🫡
sudo podman image trust set --type accept ghcr.io/ublue-os for now only this command works
which disables verification
working on a command that does both@antheas what’s the steps to get the new key? Or is this handled by updating?
we will try to make it work after updating seamlessly
however, even if i give you the key now
i cant get it to work so
new key is not working, the command above will in any case
Great I will sit tight then 🙂
@antheas
Are
still the recommend solutions? Will solving temporarily this way have any conflict with the script/solution being built in the other thread?
let me remove the second one and leave the first one for the lols
remove it as well
for bazzite users that want to use older versions, the current solution is
sudo podman image trust set --type accept ghcr.io/ublue-os
we are working on a script that will secure future bazzite versions
and we will try to sign older bazzite builds so you can roll back
but at this point, the only clean solution is disabling signature verification
theres currently no future bazzite version, so unless you disable signature verification you cant updateIs that temp solution compatible with the future script if I just want to move forward with updated in :stable?
The timing of this is so sad, because I wanted to pin the last working build with nvidia 550 for my desktop rig.
right now no
you can always edit the file by hand in the future
it seems that
sudo podman image trust set --type sigstoreSigned is not doing the full config replacement
so it doesnt work correctly? it needs more testing that will happen tomorrow
in any case, ill make sure theres a script that can migrate anyone that disables signature verificationWe are also going to be looking into re-signing select older images so they can be rebased to after the fixes have been applied. This has not yet been implemented, but is planned
also worth mentioning TLS encryption still protects your bazzite updates, even without signature verification
so it is perfectly safe temporarily
long term we would like to get that back though
Really appreciate all of you devs crunching today to try to find solutions for this.
amen to that... was excited to hear about the release and appreciate having this thread to get on the upgrade train!
@antheas Is there anything I should do to undo
sudo podman image trust set --type accept ghcr.io/ublue-os ? before or after running the bash script?
this is the output of my podman image trust show --raw
https://paste.centos.org/view/8bc1b1b1The script edits
/etc/containers/policy.json
This is the relevant part in your file
This is what it looks like in mine
You'll need to set it to this before you run the fix in announcementsOr just edit it to remove user from the key and download the new key
But that's it that's the change not much to it
If any of you want I can turn that into a command
!!! Important: for anyone that ran any of the commands in this thread, you need to restore your policy before using the fix in the announcement:
sudo cp /usr/etc/containers/policy.json /etc/containers/policy.json
then after running the fix in the announcement, verify the policy is applied and says sigstoreSigned
sudo podman image trust show | grep ghcr
this will overwrite your policy file, so if you do container stuff and have a custom policy, edit the file manuallyWill reinstalling also fix this with the newest image?
Why reinstall
Yes clean installations from when the next ISOs come out will not have an issue
Maybe they already came out
@antheas Is ok in this way?
If you haven't followed any of the stuff in this thread yet, do what's in #announcements instead
Yes
Announcement won't work if they followed this thread
I used the commands from this thread on my oled deck and got the same results as @TheDarkSideOfCookies without changing anything. Took a look at my policy.json and everything was ready to go.
Can’t really say how that happened but I’m happy nonetheless!