update_trust_rejected

Summary

downloaded binary failed signature verification: {0}

Help

the new binary's trailer did not verify against [self.signature].signers. either add the matching signer with nanook self trust add <line-or-path>, or rerun with --skip-trust if you know what you're doing

Details

When this fires

nanook self update finished downloading and sha256-verified the new binary, but the embedded signature trailer did not verify against any of the keys in [self.signature].signers. The current binary is left in place; the new one never ran.

Common causes:

• The release was published before you bootstrapped trust. Add the project release key with nanook self trust add keys/release.pub (or the canonical URL on the source forge) and rerun update.
• The release key rotated and your trust list is stale. Pull the new key from keys/release.pub and add it.
• The downloaded artifact was tampered with on the wire. The .sha256 check should have caught this; if it didn't, file an issue.

What to check

nanook self trust list

Compare the listed fingerprints against the canonical fingerprint published in the release notes / README. If you intentionally want to skip the trust check this once, rerun with --skip-trust. The sha256 guard still runs unless --skip-verify is also set.