Hi, On Wed, 2022-03-16 at 08:36 +0000, Yazdani, Reyhaneh wrote: > Hello, > > I have a bundle, which is signed with keys in the past. > Now, I have new keys, which are created with a new ica-certificate. When I > want to resign the bundle with new keys, I face this error: > > Failed to resign bundle: failed signing bundle: signature verification failed: > Verify error:unable to get local issuer certificate
Please don't trim the log output. You can also use -d to get more output. > This is the command which is applied: > > rauc resign --cert=new-certificate-1.pem --key=new-key-1.pem --keyring=old- > rauc.cert.pem This is only correct if the old certificate was self-signed. Otherwise it must be the old root CA certificate. > --signing-keyring=new-certificate-1.pem If your using intermediate certificates, the new-certificate-1.pem can't be self-signed. Accordingly, using it as the --signing-keyring can't be correct. You need to use the *new* root CA certificate here. > --intermediate=new-ica-certificate.pem old-bundle.raucb new-bundle.raucb > > Can I resign a bundle with new ica-certificate? It uses the same code paths as the normal bundle creation for singing, so I don't see why it should behave differently. Regards, Jan -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ RAUC mailing list
