- cross-posted to:
- linux@programming.dev
- linux@programming.dev
Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature ___
I was banging my head against my keyboard for an hour thinking that I broke my system until I saw this.
You must log in or register to comment.
Wow! Another reason to keep supporting uBlue. That’s how leadership is supposed to be. He did something wrong and instantly apologizes deeply and gives us a simple solution. I’m very proud and my trust is strengthened, thanks!
I would like to share the fixing script here, but don’t feel comfortable anyone executing something I copy-pasted because of security. Go and read the letter yourself, it will take literally one minute.
Yeah. Makes me love jorge and team maintaining ublue even more.
When I oopsie in server-side software, I roll it back, hopefully users never see it. When you oopsie client-side software it’s far more likely that users see it and resolution takes order days, not order minutes.
As I am a coward, I only work server-side 🙃
I don’t blame the guy for being human and it’s free software etc, but this is reality bad optics for immutable distros. If my nephew and grandma are going to need manual interventions like this one, then might as well use a less restrictive system. The promise of seamless and easy updates are the main draw for me.
It would be much appreciated if UniBlue made the update process more robust and more resistant to such mistakes.
(also curl piped into sudo bash is way more common than it should be)
They messed up the signing on the server side.
They are using all non-stable technology. The Github action and cosign may be normal, but Fedora doesnt release their container images (even though they are the ones that uBlue consumes).
The updating mechanism is fine, this is a security measurement. If the signing failed, it shouldnt update as this could mean malware.
To be fair, the blog post details how they plan on avoiding such an issue in the future
If you dont want to miss future announcements:
- With an Account on the forums you can get notifications if you turn them on for the “Announcement“ tag
- You can add https://universal-blue.discourse.group/tag/announcements.rss to your RSS reader
Thanks! Really helpful!
This is a good tip but is there not a more reliable way for the issue to be communicated to users? I suspect many people are going to be stuck on the pre-error version of Bluefin, unaware that updating is broken.
It has been asked on the forum. Idk if they will consider implementing some type of notification for critical issues on the OS itself. Edit: they are working on a solution
Thanks for spreading the word!
Lol
Finally got updated 😄👍
Logout still hangs on both X and Wayland sessions (KDE) 😫👎