B
BlueBuild3mo ago
fx

Can't update - skopeo error

When trying to run rpm-ostree upgrade, I get the following error:
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
Solution:
I'll copy my answer: For anyone who encounters this, those are the steps to solve the issue: Copy new cosign.pub from your repo to /etc/pki/containers/$your_image_name.pub...
Jump to solution
5 Replies
Luke Skywunker
Luke Skywunker3mo ago
Did you replace your private/public key pair recently? If so, you might have to rebase to your image using rpm-ostree rebase ostree-unverified-image:docker://image.path/to/your/image and then back again with rpm-ostree rebase ostree-image-signed:docker://....
fiftydinar
fiftydinar3mo ago
that won't work, he needs to do this if it's private/public key issue (copying again lol):
Solution
fiftydinar
fiftydinar3mo ago
I'll copy my answer: For anyone who encounters this, those are the steps to solve the issue: Copy new cosign.pub from your repo to /etc/pki/containers/$your_image_name.pub sudo cp your-cosign.pub /etc/pki/containers/$your_image_name.pub Modify /etc/containers/policy.json, locate your image registry link, in keyPath edit location to be from /usr/etc to /etc "keyPath": "/etc/pki/containers/$your_image_name.pub" Run rpm-ostree upgrade & reboot Copy new policy.json sudo cp /usr/etc/containers/policy.json /etc/containers/policy.json Profit You can verify if new cosign & policy.json is used here. If they're not listed, then you're good. This command tracks changed files in /etc compared to /usr/etc sudo ostree admin config-diff
fx
fxOP3mo ago
I didn't change the key pair, it just broke randomly for some reason. But I'll try this, thanks
fiftydinar
fiftydinar3mo ago
Just remembered that this is not needed, because we merged this change in signing module:
Modify /etc/containers/policy.json, locate your image registry link, in keyPath edit location to be from /usr/etc to /etc
Modify /etc/containers/policy.json, locate your image registry link, in keyPath edit location to be from /usr/etc to /etc
keyPath should point to /etc/ by default now
Want results from more Discord servers?
Add your server