Update to 2022.3.3 doesn´t work

Thank you. Now I am getting “‘HomeAssistantCore.update’ blocked from execution, system is not healthy” -_-

i’m having the same problem but unfortunatly it’s on intial setup. i must be very unlucky i had been trying to update but it wasn’t working, then found out my sd card was corrupt and thought that this was it, now i’m on ssd with the geekwork x862 v2.0 and initial setup is in a failed loop, i’m not sure if the problem is from the ssd controller or the hassio side but i’m getting the same errors:

22-03-10 12:05:57 CRITICAL (SyncWorker_2) [supervisor.docker.interface] Pulled image ghcr.io/home-assistant/raspberrypi4-64-homeassistant:2022.3.3 failed on content-trust verification!
22-03-10 12:05:57 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec

or

22-03-10 12:01:21 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.SUPERVISOR
22-03-10 12:01:22 WARNING (MainThread) [supervisor.homeassistant.core] Error on Home Assistant installation. Retry in 30sec
22-03-10 12:01:31 ERROR (MainThread) [supervisor.utils.codenotary] Timeout while processing CodeNotary
22-03-10 12:01:32 ERROR (MainThread) [supervisor.utils.codenotary] Timeout while processing CodeNotary
22-03-10 12:01:41 ERROR (MainThread) [supervisor.resolution.check] Error during processing IssueType.TRUST:
22-03-10 12:01:41 INFO (MainThread)

Mine is also stating unsupported and unhealthy out of the blue. I thought I got compromised so I restored to a backup from several days ago and it still says it.

core-2022.3.1
supervisor-2022.03.2

Is there a safe fix, or is this even something that can be resolved with a patch?
Since it’s refusing to update…

We must wait until the external issue is fixed…

frenck has posted this explanation:


Basically Home Assistant’s Supervisor has a cloud dependency (yes, I recognize the irony but let’s leave that discussion for another day). It depends on Code Notary to validate the integrity of the software. However, Code Notary has had problems servicing requests. Supervisor is being modified to mitigate Code Notary’s performance problems.

Ideally, I would like to see a Supervisor option to disable the use of Code Notary (I want fewer cloud dependencies).

3 Likes

Supervisor 3.3 (new one) is ready to download. After upgrade all is ok, no errors

1 Like

Same here; all is well after upgrading Supervisor to version 2022.03.3.

That has always been possible:

ha security options --help

Content trust is not new.

2 Likes

Thanks for your work!

Can you help me understand what I did wrong because I have always had core_security (and addon_pwned) disabled.

However, despite core_security being disabled, my system was marked Unsupported/Unhealthy after it failed to validate with Code Notary.

Shouldn’t disabling core_security (which I believe is the --content-trust option) have skipped validation via Code Notary?

Or is it governed by the --force-security option? (I don’t understand the difference between those two options.)

Just so we’re clear - Home Assistant, an open-source home automation tool that prides itself on being local and controlled by the user, has a dependency on a 3rd party cloud system which checks to make sure that people aren’t running anything they want on their own home automation platform.

Do I need to point out how crazy several of those things are? Why do we need a nanny to tell us if we’re running “approved” code on an open source and locally-run automation platform? Why does that nanny need to be in the cloud and run by a 3rd party? What exact information is my “local” system sending to that 3rd party?

Better still - how can I disable all of these things?

3 Likes

Can you help me understand what I did wrong because I have always had core_security (and addon_pwned ) disabled.

This is about content trust.

Look at it the way you want. Codesigning is a security feature, which ensures the stuff you are running is what is shipped by the creator in this case. This is a fairly common process, even in open source (e.g., all Linux distributions sign their packages). You are free to ignore it if you like. :man_shrugging:

I see that as positive and reassuring personally. If you rather run possibly unsigned code because you feel like you are being nannied (even though nobody is watching), please, feel free to do so. Nobody is stopping you.

2 Likes

Got it; this disabled it:

ha security options --content-trust=False

Now it reports the system is unsupported (because Content Trust is disabled) but that’s a reasonable compromise.

1 Like

The answer I was looking for, thanks @123! My system is now unsupported, which I guess means I can no longer call the Nabu Casa support line. I think I can live with this compromise (and also allow my system to boot when some cloud service isn’t online).

I am glad the feature is there, however, the documentation basically says you probably got hacked and should rebuild it.

This made me think I had been compromised and restored a backup. Other people may have not been so lucky as they may have started over. It may be beneficial to include more information on the documentation outlining that it could be a false positive and resources people can check before they pull the plug and start over.

2 Likes

First I want to be clear that I <3 HA and I really admire the work you’ve done personally on this project. However, your answer didn’t actually answer any individual question I raised. Linux (and many other projects) does offer signed code, but it doesn’t need a 3rd party cloud service to make that happen, nor does this answer actually address the questions.

@123 was kind enough to answer one of my major questions (how do I disable this feature) so that one is handled.

I’ll restate because I think this is the important question: exactly what information is being sent to this 3rd party?

If you encounter a bug, re-enable content-trust. If the bug persists then it’s unlikely that disabling content-trust had anything to do with the bug and your system is back to being supported.

Hmm, Got the Detected untrusted content message last night. Also got failed to install of 2022.3.3 supervisor message as I tried to install, thinking it might fix the error. Wasted time looking around and now the system says all is well and I’m running 2022.3.3, which earlier it said it was able to install. I guess it all had to do with the Code Notary cloud implantation. The approach does need to be updated. A warning that the system can no longer talk with code notary might be more appropriate when that’s what happened. Using the same error message that indicates you’ve we believe you’ve been hacked isn’t a good selection of messages. This also bring up an interesting question. What’s the recommended approach to just re-install all the HA code/containers while keeping your configuration details. That is assuming your backups are contaminated with what ever causes HA to publish the error?

I’m joining the question because it’s bothering me. I would also like to know what my data is sent to third parties?

Without a detailed explanation of this point, building a home security system is questionable to me using HA.