Skip to content

signature verification failed with all loaded keys

Symptom

The device downloads the artifact and the agent log shows:

signature verification failed with all loaded keys

The update aborts. The console shows the deployment stuck in pending or failed.

Cause

The artifact was signed with a private key whose corresponding public key is not registered as an active signing key in the organization, or the signing key was rotated after the artifact was uploaded. The server-side check (signature_checker.py) tries every active key for the organization and raises HTTP 422 if none match.

Fix

Confirm which keys are active in the console under Settings → Signing Keys. Download the active public key and verify its fingerprint matches what was used to sign the artifact:

Terminal window
# On the build host, check which key signed the artifact
openssl dgst -sha256 -verify active-key.pub -signature artifact.sig firmware.mender
# List active keys via the API
curl -s http://localhost:8000/api/signing-keys \
-H "Authorization: Bearer $TOKEN" | jq '.[].fingerprint'

Re-sign the artifact with the correct active private key and re-upload, or register the matching public key as a new active signing key under the organization.