Last Modified: Nov 07, 2022
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0
13.1.0, 13.0.0 HF1, 12.1.2 HF1
Opened: Feb 06, 2017 Severity: 4-Minor Related Article:
Related Article: K30014507
If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.
It is difficult to ascertain why the software change cannot be made.
Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true: -- The system is in Common Criteria mode (db var Security.CommonCriteria). -- The system is in FIPS compliance mode (db var security.fips140.compliance). -- Signature checking is manually enabled (db var LiveInstall.CheckSig).
The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install. To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.
The 'tmsh show system software status' now displays the relevant issue, for example: failed (No signature verification possible for image /shared/images/BIG-IP-188.8.131.52.0.249.iso). Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.