Install page links (image, checksum, signature) wrong, give 404 for Raspberry Pi

What type of hardware are you using: Raspberry Pi 3, 4+
What YunoHost version are you running: 12.0
How are you able to access your server: Other(?)
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: n/a

Describe your issue

The actual images etc in the repo are all yunohost-BOOKWORM-12.0-rpi, which looks good to me.

However, the installation instructions (Pre-installed images | Yunohost Documentation) links for Raspberry Pi (image, signature, checksum) all go to …/images/yunohost-BULLSEYE-12.0-… So all those links give a 404.

As far as I can see, links for other architectures look good.

Share relevant logs or error messages

n/a

Also, the checksum of the image is OK, but I can’t verify the signature as the public key seems missing from the downloaded yunohost.asc;

$ gpg --verify yunohost-bookworm-12.0-rpi-stable.img.zip.sig 
gpg: assuming signed data in 'yunohost-bookworm-12.0-rpi-stable.img.zip'
gpg: Signature made Mon Nov 25 17:23:18 2024 CET
gpg:                using RSA key E05E79061221D737567D38875D09F2273DAC3BD5
gpg: Can't check signature: No public key

Link is fixed, sorry about that!

Hmmmokay but did you really import the key in gpg etc ?

Thanks!

Yup, from command history:

$ gpg --import yunohost2.asc 
gpg: key 360AAF3259A3E6FF: "YunoHost <build@yunohost.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Where the yunohost2.asc file was downloaded today. Also:’

$ gpg --verify yunohost-bullseye-11.2.8-rpi-stable.img.zip.sig 
gpg: assuming signed data in 'yunohost-bullseye-11.2.8-rpi-stable.img.zip'
gpg: Signature made Thu Dec 28 00:56:43 2023 CET
gpg:                using RSA key 1904C5B42E4856DCD4E9CF96360AAF3259A3E6FF
gpg: Good signature from "YunoHost <build@yunohost.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1904 C5B4 2E48 56DC D4E9  CF96 360A AF32 59A3 E6FF

Sooooo… it does work ?

Eh, no.

It does work for the bullseye image, but for the bookworm image, it says

gpg: Can't check signature: No public key

as noted above.

Edit to add:

  • I checked all .asc key files I have, including one I just downloaded, and they are identical.
  • The signature for the bullseye image matches the key 1904...E6FF, which is in the file(s)
  • The signature for the bookworm image is made with a different key E05E...3BD5, not in the file(s)

Either the file I downloaded was signed by the project with a different key, or it was modified in transit :grimacing: