Installer fails if system clock is set earlier than the
I installed GNOME OS on a spare laptop. At the end of the installation flow I got an error:
Image verification error.
eos-installer also does not provide any more useful info. (On Endless OS systems it successfully spawns eos-diagnostics
which creates a text file containing the journal, and provides a link to open it; but not on GNOME OS where eos-diagnostics
doesn't exist.)
From the systemd.debug_shell
environment I could see the problem: the system clock was set to some time in 2019 due to the laptop's main battery (and CMOS battery if it has one) running completely flat; but the GPG key used to sign the image was generated more recently, so was not yet considered valid. (I think from elements/iso/signed-image.bst
that it is generated at build time.)
Here are some ideas:
sha256sum not gpg signature
Since 2021 eos-installer has been able to verify the image using a sha256sum instead of a GPG signature. Rather than generating an .asc
file alongside the OS image, instead generate a .sha256
file with the normal format:
d500ea7ce148201d09a2ab5972cd9cbf0feaa61d74fae22b28feedfe97f5dd78 eos-eos5.1-amd64-amd64.240103-025438.base.img.xz
Checking this signature will not be sensitive to the system clock.
Set system clock to some minimum value
systemd-timesyncd sets the system clock to the mtime of /var/lib/systemd/timesync/clock
(or failing that the build time of systemd) if the system time is earlier than that time. @valentindavid believes the systemd build time is set to 2011 for reproducible build reasons.
Perhaps we could touch the clock
file during image build with its mtime set to the timestamp of the gnome-build-meta commit being built?