Invalid Signature for a RELEASE image


  • Hi all  :)

    As the new 2.1 version has been release, I would like to have my appliance upgraded, but … it looks like there's an issue with the image stored on the PF servers  :o

    A new version is now available

    Current version: 2.0.3-RELEASE
    NanoBSD Size : 512mb
    Built On: Fri Apr 12 10:22:18 EDT 2013
    New version: 2.1-RELEASE

    Update source: http://updates.pfsense.org/_updaters/

    Once auto update has been invoked, the image downloads fine, but when the install is about to begin, I get the following message :

    The digital signature on this image is invalid

    I'm quite surprised to have this error message since the I'm targeting the official repository ( I have also retried several times ).

    Any advice ?

  • Rebel Alliance Developer Netgate

    I fetched them from the repository and they are OK here:

    : gzsig verify /etc/pubkey.pem latest-nanobsd-512mb.img.gz  
    Verified latest-nanobsd-512mb.img.gz
    : gzsig verify /etc/pubkey.pem latest-nanobsd-vga-512mb.img.gz                
    Verified latest-nanobsd-vga-512mb.img.gz
    

    Perhaps something corrupted or intercepted the download? Are you behind a proxy?

    From the firewall's shell, run:

    /etc/rc.conf_mount_rw
    fetch -o /root/ http://updates.pfsense.org/_updaters/latest-nanobsd-512mb.img.gz
    gzsig verify /etc/pubkey.pem /root/latest-nanobsd-512mb.img.gz
    

    If it still doesn't work, check what is actually in that file:

    : file latest-nanobsd-512mb.img.gz
    latest-nanobsd-512mb.img.gz: gzip compressed data, extra field, from Unix, last modified: Wed Sep 11 19:17:26 2013
    

    If it says something else, like HTML text or similar, then you know it isn't really the right file.


  • Hi jimp :)

    Thanks for your answer.

    I was able to troubleshoot the issue : the problem was because there was not enough space left in /root  in order to accomodate the download of the 218MB image, and the file download was therefore incomplete ( hence the Digital Signature failure ).

    Now this brings me to another interesting question : considering that the image to be downloaded is around 218MB, and that I have ( after having cleaned the partial image download ) only 50MB left on the / FS, how can I upgrade my pfSense ?  :-\

    Filesystem          Size    Used  Avail Capacity  Mounted on

    /dev/ufs/pfsense1    215M    148M    50M    75%    /
    devfs                1.0K    1.0K      0B  100%    /dev
    /dev/md0              38M    314K    35M    1%    /tmp
    /dev/md1              58M    15M    38M    28%    /var
    /dev/ufs/cf          48M    1.3M    43M    3%    /cf
    devfs                1.0K    1.0K      0B  100%    /var/dhcpd/dev

    Any help appreciated  :)

  • Rebel Alliance Developer Netgate

    The files for either 512MB variant are less than 80MB:

    -rw-r--r--  1 root  wheel  79564762 Sep 15 13:00 latest-nanobsd-512mb.img.gz
    -rw-r--r--  1 root  wheel  79702166 Sep 15 09:47 latest-nanobsd-vga-512mb.img.gz
    

    Where are you getting the 218MB figure?


  • Interesting …. downloading directly the image ( http://updates.pfsense.org/_updaters/latest-nanobsd-512mb.img.gz ) with Chrome gives me a file weighting ~ 218MB, whereas downloading the same image with Firefox gives me a file weighting ~ 76MB  :P

    ( looks like Chrome is getting fooled by the Content Encoding header somehow ! )

    Granted, the file weights less than 80MB, but how can I upgrade the pfsense platform with only 50MB free ?  ???

    PS : I upgraded the same appliance from 2.0 to 2.02 and 2.03 without such issues. Were the images smaller then than now ?

  • Netgate Administrator

    I would guess that chrome is extracting the image from the gzip file for you. Helpful.

    Steve

  • Rebel Alliance Developer Netgate

    The 2.0.3 update files were not much off the same size. It looks like the i386 update for 2.0.3 on 512MB NanoBSD was 66.4M

    I would not be surprised if we drop 512MB CF support for 2.2.


  • Is there something I can clean in the / FS in order to be able to upgrade to 2.1 ?  :-[

    ( my appliance always ran the original pfSense images – no addons whatsoever --, and I'm surprised to run out of space )

  • Rebel Alliance Developer Netgate

    Do you have any packages installed? If so, uninstall them


  • I don't have any packages installed ( I'm running a stock 2.03 version of pfSense ) on my appliance

    What can I do to be able to upgrade to 2.1 ?  :-[

  • Netgate Administrator

    Hmm, odd, you can't be the first person with a 512MB Nano install to try to update.

    You could always flash 2.1 clean onto the card and restore your config aftwerwards. Bit inconvenient though. It would give you an opportunity to upgrade to a bigger card at the same time.

    Steve


  • Yes indeed, I have tought about this.

    But as you've written, it is really odd, running a stock pfSense on a 512MB CF, not being able to upgrade to a version that supposely fits that kind of support ( including an upgrade procedure ) :o

    That's why I'm also trying to understand what is taking the extra space I'm missing ( could the RRD graphs data be the reason ? )

  • Netgate Administrator

    Have you ever run any packages on that box?
    It seems more likely that the space is taken up by the remains of a previous failed update.  :-\ Just speculating there though.

    Steve


  • I Never ran any packages on that box.

    There are 43MB available on the /cf FS. If I could add that to the 50MB available on the /, I would have enough to fetch the upgrade image ( ~ 76MB ).

    Filesystem          Size    Used  Avail Capacity  Mounted on
    /dev/ufs/pfsense1    215M    148M    50M 75%    /
    devfs                1.0K    1.0K      0B  100%    /dev
    /dev/md0              38M    258K    35M    1%    /tmp
    /dev/md1              58M    15M    38M    28%    /var
    /dev/ufs/cf          48M    1.5M    43M 3%    /cf
    devfs                1.0K    1.0K      0B  100%    /var/dhcpd/dev

  • Netgate Administrator

    You can't add the conf slice to the main slice in use. The best you could so, if you went that route, would be to increase the size of /tmp. However you would have to then reconfigure it to use /tmp for the download and you might run out of memory anyway.

    Here's a suggestion. Try switching to the other slice in Diagnostics: NanoBSD:. The other slice probably has 2.0.2 on it but you should be able to upgrade to 2.1 directly from that. Since you were able to upgrade to 2.0.3 it must have had at least 66.4MB of space.

    Steve

  • Rebel Alliance Developer Netgate

    I hit this today as well on a client. I took an axe to a bunch of files until I had enough space to upgrade, but it worked once I freed up 80MB of disk space.

    Seriously though the best solution is to replace the 512MB card/image with something much bigger, 4GB should do it.


  • I've run into space issues before - I would delete all packages AND reset the RRD data to clean out all the saved graph data too - even if you're not using RRD now it's still a good idea to clean out the data if you've ever used it in the past.

    Then upgrade.  When you've upgraded, add the packages back in but install the bigger packages first (ie Avahi) and the smaller packages last (blinkled etc). CF cards are cheap these days so there's no reason not to have a 4Gb card but you can run out of RAM as well as disk space so a larger CF card isn't necessarily going to solve your problems.