apertis-update-manager-ota-signed manual


Image Types:
minimal-armhf / minimal-arm64
Image Deployment:


Test the apertis-update-manager uses only signed updates over the air.


  • The DUT u-boot environment must be clean: in u-boot, run: `env default -a` followed by `saveenv`
  • A PC must be connected to DUT serial port
  • The DUT must be connected to network

Pre Conditions

  1. This test requires a properly configured time source: when testing devices not carrying a battery-backed real time clock in a network which prevents connections to NTP servers (and only in that case) manually ensure that the time on the device is set appropriately and that it is propagated to the hardware clock so it is stay set on the next reboot if the power is not plugged off.
  2. $ sudo timedatectl --adjust-system-clock set-time "2019-08-21 18:49:03"

  3. If direct access to repository with updates for DUT is restricted and proxy server should be used, then need to add the address of this proxy for OSTree on DUT by command:
  4. $ sudo ostree config set 'remote "origin"'.proxy ""

Execution Steps

  1. Check the initial deployment
  2. $ sudo ostree admin status

  3. Prepare the copy of commit and deploy to allow the upgrade to the same version
  4. Command below shows you an initial commit ID, for instance
  5. $ export BOOTID=$(sudo ostree admin status | sed -n -e 's/^\* apertis \([0-9a-f]*\)\.[0-9]$/\1/p'); echo $BOOTID

  6. Get the Collection ID and ref
  7. $ export CID=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 1 -d ' '); echo COLLECTION_ID=$CID

    $ export REF=$(sudo ostree refs -c | head -n 1 | tr -d '(),' | cut -f 2 -d ' '); echo REF=$REF

  8. Create the list of files to skip and ensure there are some files in those directories, the default Apertis 'ed25519' public key will be removed as well.
  9. $ ls -1d /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d > /tmp/skip

    $ du -sh /usr/share/locale /usr/share/man /usr/share/zoneinfo /usr/share/ostree/trusted.ed25519.d

  10. Create the commit with changed timestamp and skipped list from above to allow upgrade with recent update file
  11. $ export NEWID=$(sudo ostree commit --orphan --tree=ref=$BOOTID --add-metadata-string=ostree.collection-binding=$CID --bind-ref=$REF --timestamp="1 year ago" --skip-list=/tmp/skip); echo "New commit: $NEWID"

  12. Copy public key to home directory
  13. $ cp -av /usr/share/ostree/trusted.ed25519.d/apertis.ed25519 ./

  14. Deploy the prepared commit
  15. $ sudo ostree admin upgrade --allow-downgrade --deploy-only --override-commit=$NEWID --reboot

  16. Wait until the system is booted again and check the deployment
  17. $ sudo ostree admin status

  18. The booted commit (started with '*') must have ID which we prepare and the initial commit ID should be marked as '(rollback)'
  19. Remove the initial deployment
  20. $ sudo ostree admin undeploy 1

  21. Reboot the system
  22. Check the current deployment
  23. $ sudo ostree admin status

  24. Start the user interface agent with mode preventing automatic system reboot after update
  25. $ sudo updatectl --register-upgrade-handler &

  26. Need to monitor the journal log to catch events
  27. $ sudo journalctl -ef --unit apertis-update-manager &

  28. Enable network updates with CLI tool
  29. $ sudo updatectl --check-network-updates

  30. Check that the update manager refuses to update
  31. Sep 18 12:54:09 apertis apertis-update-[426]: Ostree upgrade failed: Can't verify commit

  32. Copy the public key to system-wide directory -- this allowing to use signed commits for update
  33. $ sudo mkdir -p /etc/ostree/trusted.ed25519.d/; sudo cp -av apertis.ed25519 /etc/ostree/trusted.ed25519.d/

  34. Try to update via network again
  35. $ sudo updatectl --check-network-updates

  36. Should to see started download/deploy process. Check the string saying we are using the signed commit: 'security: SIGN: commit'
  37. Sep 18 13:01:13 apertis apertis-update-managerd[426]: libostree pull from 'origin' for apertis/v2022dev0/amd64-uefi/minimal complete

    security: disabled

    security: SIGN: commit http: TLS

    non-delta: meta: 438 content: 3962

    transfer: secs: 64 size: 44.5 MB

  38. After the update, the device does *not* reboot automatically
  39. Check if there is pending deployment and reboot the DUT
  40. $ sudo ostree admin status

    $ sudo reboot

  41. Check the current deployment has been updated and that the rollback entry points to the prepared deployment
  42. $ sudo ostree admin status


The OTA update signed with 'unknown' signature is refused to update