Ubuntu
android package

Update GPG verification always fails

Bug #1272711 reported by Florian W.
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
android (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Since the GPG validation in recovery is now working correctly, I noticed another bug in system-image-upgrader that seems to prevent all updates from being applied, even if they are signed by a trusted image-signing key. Instead, the recovery log contains "Invalid signature" and the device reboots without applying the update. From a user POV it's difficult to notice that the update didn't work.

The bad code is probably:
            if ! verify_signature device-signing /cache/recovery/$2 && \
               ! verify_signature image-signing /cache/recovery/$2; then

This should probably be $3 instead of $2.

I tested this with $3 and updates were applied correctly instead of showing "Invalid signature". However, I haven't tested the opposite, i.e. if it discards updates with bad signature.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in android (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.