Uki: kairos-agent should check if an image is signed with compatible keys loaded on the system before upgrade #2421
Labels
enhancement
New feature or request
triage
Add this label to issues that should be triaged and prioretized in the next planning call
Comments
nianyush
added
enhancement
|
I would even say that this is a bug rather than an enhancement as it's very easy to shoot yourself in the foot. Should be basic functionality. Maybe we can use https://github.com/itxaka/go-secureboot which contains the talos secureboot libs extracted, when it's ready for generic consumption? It has functions related to signatures so maybe we can rework it to read signatures from files and confirm if they are enrolled in the current machine |
|
duplicate of #2200 ? |
|
closing as #2200 should cover this already |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, kairos-agent wont check it and go for an upgrade. After reboot, the device will enter into following state and user cannot recover it or reset but can only do in new install. So kairos-agent should throw an error instead of upgrade with wrong image
The text was updated successfully, but these errors were encountered: