THIS IS NO LONGER AN ISSUE, THIS THREAD IS BEING KEPT OPEN FOR INFORMATIONAL PURPOSES
Only necessary if you have an old image from before July 2024
Original text follows:
If you use Bazzite, Bluefin, Aurora, uCore, or any other Universal Blue image (including our toolboxes) then you need to follow the instructions in this announcement in order to ensure that your device is getting updates. We were rotating our cosign keypairs this morning, which is the method that we use to sign our images.
During this process I made a critical error which has resulted in forcing you to take manual steps to migrate to our newly signed images.
-
All existing Universal Blue images BEFORE 2024-07-02 will need to issue the commands below in order to receive future updates, your device will reject future updates unless this action is undertaken.
-
If you are a new user and have installed from an ISO AFTER 2024-07-03 then you do not need to take any action, this only affects existing installations before that date.
-
This incident does not mean that there was a security breach, quite the opposite, in fact. It means the protections and checks we’ve built into the operating system are working and they’ll refuse to accept an update signed by an unknown key.
-
The installation on your device is fine, upgrades just won’t work. But you do need to follow the instructions below in order to get updates.
-
All the Universal Blue images and ISOs have been updated to the new key, we strongly recommend replacing any downloaded ISOs with the new ones to avoid having to do this on new installations.
-
We are working on signing some older images so that you can still have rollback (especially for you Bazzite users on AMD Polaris GPUs) and will post more information as soon as we can.
I deeply apologize for this, I take full personal responsibility as the error was completely mine, from both a technical and process standpoint. I know this shakes the amount of trust we’ve built up over the past three years, so there’s no easy way to say it other than by being transparent about the mistakes.
Instructions
We have a script that will resolve the issue. You are strongly recommended to review the script first prior to running it by inspecting it here. You can either perform those steps by hand or use this following command:
curl -sL https://fix.universal-blue.org/ | sudo bash
Process changes
Process changes enacted to ensure this doesn’t happen again, please reference the following github issue: create update process/solution for cosign key rotation · Issue #600 · ublue-os/main · GitHub
Quick video
Huge thanks to p5, m2, bsherman, antheas, hikariknight, bketelsen, and eyecantcu for mitigating my mistake as best they could. Thank you for your patience and support!
Update 2024-07-01
This is what the error looks like if you try to run an rpm-ostree update
command on an affected install:
rpm-ostree update
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:stable
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature