self_verify_rejected

Summary

{1}

Help

{2}

Details

When this fires

nanook self verify ran the signed-binary admission path against the running (or --path) nanook executable and the verdict came back as anything other than Allowed. The second slot of the message names the concrete reason: missing trailer, manifest mismatch, signature did not verify under any trusted key, or hash on the revocation list.

What to check

The bullet list printed above the error names every signer in [self.signature].signers. If the binary was built by someone whose key is not on that list, paste their .pub line in and re-run. If the list is fine, the binary itself was either modified after signing or signed with a key the publisher rotated.

# inspect the trust list in the active config
nanook config show | grep -A20 '\[self.signature\]'

# re-verify after editing the list
nanook self verify --path ./nanook

If you trust the publisher but expected a different signer, ask them to re-sign with nanook self sign and ship a fresh binary.