Important announcement regarding system updates [Action needed]
universal-blue.discourse.group
If you use Bazzite, Bluefin, Aurora, uCore, or any other Universal Blue image (including our toolboxes) then you need to follow the instructions in this announcement in order to ensure that your device is getting updates. We were rotating our cosign keypairs this morning, which is the method that we use to sign our images. During this process I made a critical error which has resulted in forcing you to take manual steps to migrate to our newly signed images. All existing Universal Blue image...

Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature ___

I was banging my head against my keyboard for an hour thinking that I broke my system until I saw this.

  • Jayb151@lemmy.world
    0·
    1 day ago

    I installed Bazzite on a Dell latitude just to check it out… The son of a bitch booted once, let me install updates then never booted again.

  • marlowe221@lemmy.worldEnglish
    0·
    2 days ago

    Bluefin-DX is great! I’m still figuring out how everything works - there are a lot of tools included that are new to me, despite being a cloud-oriented developer.

    It’s a very different way to use Linux, from how the OS is constructed, to the container-first nature of the default applications and intended workflow. But I’m really enjoying learning how to use it.

    • j0rge@lemmy.ml
      0·
      1 day ago

      there are a lot of tools included that are new to me, despite being a cloud-oriented developer.

      Interesting! What tools do you commonly use?

      • marlowe221@lemmy.worldEnglish
        0·
        6 hours ago

        At work, we’re a Windows shop. So mostly Docker (desktop) via WSL2. But it depends on the project. Sometimes it’s just NodeJS in Windows itself!

        At home, mostly tools like nvm and Python venvs to handle multiple projects with potentially overlapping/problematic dependencies that I want to isolate from the base system.

        Either way, initial testing happens locally with Docker compose, sometimes minikube depending on the project.

        With Bluefin-DX it’s a lot of the same concepts but the included tools get you there a different, and honestly easier and more convenient way. But I have learn how to use those tools!

    • cflewis@programming.dev
      0·
      2 days ago

      Once I got the hang of connecting Distrobox containers to VS Code, I was really very pleased by the whole setup.

      I also thought it pretty incredible that running “ujust update” actually went into my Debian container for Haskell development and it ran “apt update” for me. I couldn’t believe it the first time.

  • Sina@beehaw.org
    0·
    3 days ago

    I don’t blame the guy for being human and it’s free software etc, but this is reality bad optics for immutable distros. If my nephew and grandma are going to need manual interventions like this one, then might as well use a less restrictive system. The promise of seamless and easy updates are the main draw for me.

    It would be much appreciated if UniBlue made the update process more robust and more resistant to such mistakes.

    (also curl piped into sudo bash is way more common than it should be)

    • boredsquirrel@slrpnk.net
      0·
      3 days ago

      They messed up the signing on the server side.

      They are using all non-stable technology. The Github action and cosign may be normal, but Fedora doesnt release their container images (even though they are the ones that uBlue consumes).

      The updating mechanism is fine, this is a security measurement. If the signing failed, it shouldnt update as this could mean malware.

    • Rogue@feddit.uk
      0·
      3 days ago

      This is a good tip but is there not a more reliable way for the issue to be communicated to users? I suspect many people are going to be stuck on the pre-error version of Bluefin, unaware that updating is broken.

      • unskilled5117@feddit.orgEnglish
        0·
        2 days ago

        It has been asked on the forum. Idk if they will consider implementing some type of notification for critical issues on the OS itself. Edit: they are working on a solution

  • Guenther_Amanita@slrpnk.net
    0·
    3 days ago

    Wow! Another reason to keep supporting uBlue. That’s how leadership is supposed to be. He did something wrong and instantly apologizes deeply and gives us a simple solution. I’m very proud and my trust is strengthened, thanks!

    I would like to share the fixing script here, but don’t feel comfortable anyone executing something I copy-pasted because of security. Go and read the letter yourself, it will take literally one minute.

    • cflewis@programming.dev
      0·
      2 days ago

      When I oopsie in server-side software, I roll it back, hopefully users never see it. When you oopsie client-side software it’s far more likely that users see it and resolution takes order days, not order minutes.

      As I am a coward, I only work server-side 🙃