Bug ID 643404: 'tmsh system software status' does not display properly in a specific cc-mode situation

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:

Fixed In:
13.1.0, 13.0.0 HF1, 12.1.2 HF1

Opened: Feb 06, 2017

Severity: 4-Minor

Related Article: K30014507


If software image verification is enabled, the system must first verify a software archive with a cryptographic signature file before using it. If that file is not available, the software change will (intentionally) not proceed. It is also intended that 'tmsh system software status' will explain the condition. But instead, it shows 'failed (reason unknown)'.


It is difficult to ascertain why the software change cannot be made.


Trying to initiate a software change, but there is no signature file available that corresponds to the selected software archive if any of the following is also true: -- The system is in Common Criteria mode (db var Security.CommonCriteria). -- The system is in FIPS compliance mode (db var security.fips140.compliance). -- Signature checking is manually enabled (db var LiveInstall.CheckSig).


The installation logs a more detailed explanation for the failure. In the case of Common Criteria mode, it is essential to have the signature file in the same images directory as the .iso image you intend to install. To do so, copy the .sig file from the F5 Downloads site to the image location, and try the installation again.

Fix Information

The 'tmsh show system software status' now displays the relevant issue, for example: failed (No signature verification possible for image /shared/images/BIG-IP- Although you must still download the .sig file from F5 Downloads, it's clear what the failure is and what to do next.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips