Upgrading from 4.0.5: "Unable to finish URI (https://repo.turris.cz/hbs/mox/lists/base.lua): Signature verification failure"

When trying to update my MOX from 4.0.5 via pkgupdate (since the automatic updater is failing) I get:

root@turris:~# pkgupdate
line not found
line not found
line not found
ERROR:
runtime: [string "requests"]:395: [string "utils"]:429: Unable to finish URI (https://repo.turris.cz/hbs/mox/lists/base.lua): Signature verification failure

When trying to run various tests from the web UI I noticed IPv6 connectivity + IPv6 gateway connectivity are failing. Not sure if it’s related or not. Any suggestions to fix?

Same problem here. Turris 1.0 upgrading 5.0.2 -> 5.1

Updater selhal:

runtime: [string "requests"]:417: [string "utils"]:422: Unable to finish URI (https://repo.turris.cz/hbs/turris1x/lists/base.lua): Signature verification failure 

Error message both in Foris and in command line via pkgupdate.

If you disable IPv6 in Foris is the result same? If yes then please post here longer debug log (pkgupdate -e DBG).

1 Like

Disabled ip6 in Foris (which kicked me out, relogged in, and confirmed ip4 tests still worked). pkgupdate still failed, so this is what I’m getting with pkgupdate -e DBG:

root@turris:~# pkgupdate -e DBG
DEBUG:src/lib/events.c:586 (run_util_init):Dumping busybox to: /tmp/updater-busybox-DHMCaN/busybox
DEBUG:src/lib/locks.c:45 (lua_acquire):Trying to get a lock at /var/lock/opkg.lock
DEBUG:backend.lua:358 (status_parse):Parsing status file /usr/lib/opkg/status
DEBUG:requests.lua:397 (Globals):Running script file:////etc/updater/conf.d/turris.lua
DEBUG:src/lib/download.c:49 (download_check_info):Download succesfull (https://repo.turris.cz/hbs/mox/lists/base.lua)
DEBUG:src/lib/download.c:49 (download_check_info):Download succesfull (https://repo.turris.cz/hbs/mox/lists/base.lua.sig)
DEBUG:src/lib/uri.c:648 (list_pubkey_collect):Unable to get pubkey file:///etc/updater/keys/test.pub: Unable to open local file for reading
DEBUG:src/lib/logging.c:202 (log_subproc_open):Verify https://repo.turris.cz/hbs/mox/lists/base.lua (/tmp/updater-sig-hLllFd) against /tmp/updater-pubkey-XXXXXX
DEBUG:src/lib/subprocess.c:107 (subprocloc):Running subprocess: usign -V -p /tmp/updater-pubkey-XXXXXX -x /tmp/updater-sig-hLllFd -m /tmp/updater-temp-cNgiej
Cannot open file '/tmp/updater-pubkey-XXXXXX' for reading
DEBUG:src/lib/logging.c:202 (log_subproc_open):Verify https://repo.turris.cz/hbs/mox/lists/base.lua (/tmp/updater-sig-hLllFd) against /tmp/updater-pubkey-fNipHg
DEBUG:src/lib/subprocess.c:107 (subprocloc):Running subprocess: usign -V -p /tmp/updater-pubkey-fNipHg -x /tmp/updater-sig-hLllFd -m /tmp/updater-temp-cNgiej
Premature end of file
DEBUG:src/lib/logging.c:202 (log_subproc_open):Verify https://repo.turris.cz/hbs/mox/lists/base.lua (/tmp/updater-sig-hLllFd) against /tmp/updater-pubkey-fIpeFK
DEBUG:src/lib/subprocess.c:107 (subprocloc):Running subprocess: usign -V -p /tmp/updater-pubkey-fIpeFK -x /tmp/updater-sig-hLllFd -m /tmp/updater-temp-cNgiej
Premature end of file
line not found
line not found
line not found
ERROR:src/pkgupdate/main.c:156 (main):
runtime: [string "requests"]:395: [string "utils"]:429: Unable to finish URI (https://repo.turris.cz/hbs/mox/lists/base.lua): Signature verification failure
DEBUG:src/lib/locks.c:82 (lua_lock_release):Released lock at /var/lock/opkg.lock
DEBUG:src/lib/events.c:604 (run_util_clean):Removing temporally busybox from: /tmp/updater-busybox-DHMCaN/busybox

Looks like the issue is with opening/reading the pubkey? Is there some .lck file or something that needs to be rm’d?

DEBUG:src/lib/uri.c:648 (list_pubkey_collect):Unable to get pubkey file:///etc/updater/keys/test.pub: Unable to open local file for reading
[…]
Cannot open file '/tmp/updater-pubkey-XXXXXX' for reading

I think that the real problem is this. Can you please verify content of /etc/updater/keys/*.pub files? There should be always two lines. First is comment and second is base64 encoded key. It sounds like that either those files are empty or corrupted or that signatures you download are.

Second thing you should do is to test download of https://repo.turris.cz/hbs/mox/lists/base.lua.sig using curl. (curl https://repo.turris.cz/hbs/mox/lists/base.lua.sig). Optionally you can do the same for https://repo.turris.cz/hbs/mox/lists/base.lua but that should be ok given error you get.

1 Like

release.pub and standby.pub:
Nothing

curl lua.sig:

root@turris:~# curl https://repo.turris.cz/hbs/mox/lists/base.lua.sig
untrusted comment: signed by key dcb20e535c62dd5b
RWTcsg5TXGLdWwp+Ys8ay2+9n/f0NBhYf2ILna6s/m8xie3S4i+fZhFVnpJf1AumeG0rfT6ZwV7AewuB7nJH+hXT5hfr6UOBCQo=

curl base.lua also works

Can’t find anything searching for release.pub and standby.pub on 4.0.5 branch to use to replace what’s on the router.

Problem with upgrade was solved.

How exactly did you solve it?

Alright, got a little further thanks to @cynerd! Here’s the full list of steps to make it as easy as possible for anyone to get closer.

  1. ssh root@[router IP]
  2. cd /etc/updater/keys/
  3. vim release.pub
  4. Confirm that the first line is a comment and the second line is a base64 encoded key (ends in ==)
  5. If it doesn’t, run the following line by line to fix the .pub and .pub.sig files (the following is for stable branch):
curl -O https://repo.turris.cz/turris-stable/root/etc/updater/keys/release.pub
curl -O https://repo.turris.cz/turris-stable/root/etc/updater/keys/release.pub.sig
curl -O https://repo.turris.cz/turris-stable/root/etc/updater/keys/standby.pub
curl -O https://repo.turris.cz/turris-stable/root/etc/updater/keys/standby.pub.sig
  1. pkgupdate

Note that running pkgupdate will require your attention as it may prompt you to press enter to continue to update to whatever release it finds.

Currently pkgupdate is now stuck on sha256 sum of python3-cryptography which I’m trying to figure out.

INFO:Downloading packages
line not found
line not found
line not found
DIE:
corruption: The sha256 sum of python3-cryptography does not match
Aborted

Edit: running again causes it to fail at a different package, so likely too many packages to update in a short amount of time, causing pkgupdate to fail? Would prefer not to dangerously use opkg upgrade [pkg], hopefully there’s a way to increase the upper time limit of pkgupdate…

Edit2: Have tried opkg upgrade [all luci-*, i18n, and l10 packages] which should be safe to upgrade w/o breaking core functions, still at about 600 list-upgradable packages

Edit3: Got lucky on another run, now running 5.1 after running pkgupdate after the first successful run to pick up the pkg adds

1 Like