Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3-Release 2G NanoBSD release not signed?

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    4 Posts 2 Posters 924 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Received "This image is not digitally signed." error message when attempting to auto-upgrade from 2.0.2-Release. I know RCs typically aren't signed–is this true for stable releases as well?

      Update source: http://updates.pfsense.org/_updaters/

      File in question: latest-nanobsd-2g.img.gz, 12-Apr-2016 18:11
      SHA256 hash matches. MD5 does not, as it is for a previous version, pfSense-2.2.6-RELEASE-2g-i386-nanobsd-upgrade.img.gz.

      If there is a signature, but my install doesn't trust it because I'm running an ancient release, I apologize for the noise.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        We stopped updating the md5s because recent versions only check the sha256, but I didn't think about the fact that much older releases can still need the md5. Fixed the md5s, and the staging script so those will continue to be updated.

        The signature is there and correct though. Maybe it errored out with a signature error because of the wrong md5? I don't recall for sure offhand how that would have failed in 2.0.x, too many releases since then. The cert on 2.0.x versions is the same as what's on 2.2.x. I'd already ran a full set of all 2.2.6 nanos through auto-update, but did it again on the same size and version your're on. All good.

        Try it again now that the md5 is correct.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Thanks for the quick response.
          I browsed through the logs, and found the following error message during the auto-update attempts:

          php: /system_firmware_auto.php: The command '/usr/local/sbin/gzsig verify /etc/pubkey.pem < '/root/latest.tgz'' returned exit code '2', the output was ''
          Not sure what hashing algorithms that version of gzsig supports, or if there is a file located at /root/latest.tgz. I believe the signature and hashes provided for file verification are unrelated, so they wouldn't have an impact.

          Since you vetted the file, I did attempt an auto-update configured to ignore unsigned images, and received a corrupt file notification. This could be the fault of file verification hashes, if it's expecting an different algorithm, file location, or contents.

          Instead of spending too much time on it, I'll probably be better off putting together an upgrade path to get to 2.2.6 and upgrading to 2.3 from there. Thanks for checking though!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Any indication you're running out of disk space? Probably would log in the system log. If you have additional packages installed it's possible to be down low enough on free space that it wouldn't have enough room to write the file out to /root/ and then it'd fail verification.

            Not likely an upgrade to 2.2.6 would succeed either, unless it is disk space and you happen to have enough to fit 2.2.6 (2.3 is ~80 MB bigger).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.