I accidentally my private key

[pepijndevos]

It's a long shot, but would someone be willing to sign the latest build of my HAOS fork with the official HA key so I don't have to tell my beta testers to root ssh into their pi to hack in a new cert?

I'm usually sort of careless with self-signed certificates as being basically disposable, so when I encountered permissions errors when building 16.1 in docker, I ran git clean which evidently nuked the private key that was generated. I didn't think much of it until I tried to install the rauc and it got rejected. Turns out this self signed certificate is extremely not disposable and should be guarded with my life!

So https://pkg.sanctuary-systems.com/hassos/haos_rpi5-64-16.1.raucb contains a freshly generated public key, and it seems like the only way to install it on an existing installation is to root ssh into the pi and bind mount a new key on top of the read-only root filesystem, as per the first.

If it were just me, I'd just do the bind mount, but I also shipped this OS to my beta testers, not all of which are software developers. I know it's a lot to ask and a bit of a security risk. I guess it would be even more to ask but less chance of making officially signed malware to build the image from source: dev...sanctuary-systems-com:operating-system:amd-6.12 but I am afraid I might have to go tell my beta testers to do the ssh thing or reinstall. At least I learned this lesson while only a hand full of people use my fork.

[sairon]

No worries, I don't see a reason why we shouldn't help you out. Rather than signing the update with the release key though, I suggest to let our GH runner (which has the production key in its secrets) to build the update file, which will be better for transparency. To do that, prepare a branch with cert.pem checked in the repo (it's gitignored by default, so use git add -f cert.pem), as it's the easiest way to include extra cert in the keyring:

operating-system/buildroot-external/scripts/rauc.sh

Line 46 in 62747cd

openssl x509 -in "${cert}" -text >> "${TARGET_DIR}/etc/rauc/keyring.pem"

Then I'll push this branch to our repo, check it and run a build from that branch. Your users will need to use that version as a stepping stone though, there's no way around that without signing your certificate by HA certificate authority.

[pepijndevos]

Thank you so much!

I've pushed the cert.pem to #4159 / https://github.com/sanctuary-systems-com/operating-system/tree/amd-6.12

So AIUI that build would be signed with your production key, but have my new cert.pem appended to its keyring so my beta testers could install it because it matches the production key, and future updates will be accepted based on the new cert.pem.

[sairon]

So AIUI that build would be signed with your production key, but have my new cert.pem appended to its keyring so my beta testers could install it because it matches the production key, and future updates will be accepted based on the new cert.pem.

Exactly, unless you modified the CA files, and if you keep the cert.pem in the directory from where you run the builds, all current installations should accept this update (as it's signed with a key that's signed by the HA CA) and this special and any further builds from your builder should accept updates signed with the new key, as your certificate is appended to the keyring.

I cherry-picked 71d222a and ran the build for rpi5-64 here: https://github.com/home-assistant/operating-system/actions/runs/17235224909 - once it finishes, you can download the build artifact and distribute it. Note the version will be 16.1.dev1756203741 but at least you will be able to easily distinguish it.

[pepijndevos]

Downloaded! Thanks again!