On Mon, 2022-03-14 at 09:40 +0000, Yazdani, Reyhaneh wrote: > Hi Jan, > > Thanks for quick response. > > > -----Ursprüngliche Nachricht----- > > Von: Jan Lübbe <j...@pengutronix.de> > > Gesendet: Montag, 14. März 2022 09:39 > > An: Yazdani, Reyhaneh <ryazd...@data-modul.com>; rauc@pengutronix.de > > Betreff: Re: [RAUC] RAUC update systems with release keys > > > > Hi Reyhaneh, > > > > On Mon, 2022-03-14 at 08:08 +0000, Yazdani, Reyhaneh wrote: > > > Hello, > > > > > > Currently we have some devices which are programmed with development > > > keys in the past. > > > Now, we need to use them as final devices with bundle signed with > > > release keys. > > > I copied cert file manually to the certificate path in rootfs and try > > > to use rauc install command to program the device with release-bundle, > > but it fails. > > > > Just to avoid misunderstandings: You replaced your /etc/rauc/keyring.pem > > (or another keyring path as configured in your system.com) with the release > > keyring? > > [Reyhaneh] Yes, I replaced the old /etc/rauc/rauc.cert.pem (which the path is > defined in system.conf) with the new one. > > > > Did you restart the rauc service? > [Reyhaneh] Yes. I ran systemctl restart rauc
Good. Which error output do you see from the rauc service in the journal? > > > What would be the correct procedure to bring development-devices into > > > final- devices? > > > > Your approach should work in general, but there are others. > > > > You could also have the release CA certificate as a second cert in the > > development image keyring. In that case, you should be careful with > > migrations, though, as you probably want to avoid unexpected leftovers > > from development software. > If I want to do resign the bundle instead of bitbaking to have new bundle > with release key, then I should use > "rauc resign" command. Yes? Is the below command correct? > > rauc resign --cert=new-cert --key=new-key --keyring=old-keyring input-bundle > output-bundle You could add --signing-keyring=new-keyring let RAUC check that the resulting signature can be verified with the new keyring. Also, please note that when you use 'rauc resign', you need to select the correct keyring file in a hook. (otherwise you're probably installing just the development keyring). There is an example in https://rauc.readthedocs.io/en/latest/advanced.html#switching-the-keyring-spki-hashes Regards, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ RAUC mailing list