Signature verification failed in recovery

[rm5319]

I just patched a new update and tried to install it using adb sideload and I'm getting the following error on my phone

ERROR: recovery: failed to verify whole-file signature
Update package verification took 133.6 s (result 1).
ERROR: recovery: Signature verification failed
ERROR: recovery: error: 21

Install from ADB completed with status 2.
Installation aborted.

I'm 100% sure I used the same keys.

[pascallj]

I am not sure if it can cause these errors, but is there any change you might have switched the ota and avb keys?

[rm5319]

Absolutely not. I have a text file in which I store the command with all the correct paths except the OTA file which changes each update.

[chenxiaolong]

While booted into Android, can you make a copy of your vendor_boot partition?

adb shell su -c 'dd if=/dev/block/by-name/vendor_boot$(getprop ro.boot.slot_suffix) of=/sdcard/vendor_boot.img'

And then on a computer:

adb pull /sdcard/vendor_boot.img
avbroot boot unpack -i vendor_boot.img
avbroot cpio unpack -i ramdisk.img.0

You should see a cpio_tree/system/etc/security/otacerts.zip file in there that contains an ota.x509.pem file inside. Make sure that matches your ota.crt.

[rm5319]

It does match

[chenxiaolong]

If that's the case, I have no idea what would be going on. You'll probably need to try and find the log messages prior to failed to verify whole-file signature.

If recovery mode allows adb access, you can adb pull /tmp/recovery.log after attempting to sideload. If not, then you can only look at the logs on the device's screen with the menu option (volume buttons to scroll).

[rm5319]

I couldn't get adb in recovery to work and the logs I gave are all it spat out.

[chenxiaolong]

Hmm, under recovery mode's View recovery logs on-screen option, there are no additional messages?

If so, I don't really have any idea how to troubleshoot this.

[luxqaoa]

I also had this problem with the same error message a few days ago. I'll try to recall what happened, but I'm not really sure what I'm doing.

What happened

• I've been using a Google Pixel 4a with DivestOS. I've updated my OS with adb sideload previously using the same certificate files and it worked fine. Both times using avbroot ota patch with prepatched magisk boot.img.
• In both the previous update and this time, running avbroot ota patch ... I got the error "WARN The prepatched boot image may not be compatible with the original (...)"
• In both the previous update and this time, running avbroot ota verify ... I got the error "ERROR boot's otacerts.zip does not contain OTA certificate"

Attempts at troubleshooting

I tried using the version of avbroot I used for my last update (3.0.0) and the error is the same.

Looking inside the current .patched image's \META-INF\com\android\otacert matches my ota.crt

I tried doing what was specified previously but my system doesn't have a vendor_boot_a/b folder. It has a boot_a/b folder (not sure if it's the same), whose otacerts.zip doesn't contain a ota.x509.pem. It only contains another certificate file.

I unpacked the boot.img of the original divestOS image using avbroot extract and the last two commands and saw it also doesn't contain a ota.x509.pem. I don't think the .patched's boot.img did either.

I ran avbroot ota patch ... with debug level --log-level trace and got this output.

[chenxiaolong]

@luxqaoa I've moved your report to #356. Although there are similar symptoms, the root cause is different (and is indeed related your device putting recovery mode stuff in boot instead of vendor_boot).

[chenxiaolong]

@rm5319 Although I don't know what originally caused the problem on your device, if you're certain that the new OTA you're flashing is good, you should be able to use the same workaround as for #356 to actually install it: #357 (comment)