%IPS-3-Invalid__digital_signature (signature verification fauilure)

Answered Question
Jul 30th, 2010
User Badges:

hi,


i try to load the IOS-S416-CLI.pkg into my C1841 ISR, using CLI


problem is signature cannot extract and show me this error message %IPS-3-Invalid__digital_signature (signature verification fauilure)


while i am using version 5 realm-cisco.pub signature, download from cisco tools


anyone any idea for this?

Correct Answer by Christopher Dreier about 6 years 10 months ago

Hello,


This error message literally means that the crypto signature on your router and the crypto signature in the IPS signature update do not match. This can be the result of an incorrect pubkey in your router configuration or a corrupt signature package. If you transfer the signature update from one computer to another after downloading it from Cisco.com, be sure to do the transfer in binary mode. Transferring the file in ASCII mode will remove various characters from the binary file and make the file unusable. If you have not transferred the file after downloading it from Cisco.com, or you are certain that you have not used ASCII mode to transfer the file, try downloading the file again from Cisco.com. The original download may have been corrupt.


Below is the pubkey to compare with your router configuration:


crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
Quit


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
yong khang NG Tue, 08/03/2010 - 17:04
User Badges:

yup, you're right.


after do the checksum for the file data integrity is not tally from tools.cisco showing file size.


nonetheless, download again the signature package, load into the router, everything goes fine.


thank you

Correct Answer
Christopher Dreier Tue, 08/03/2010 - 07:20
User Badges:
  • Silver, 250 points or more

Hello,


This error message literally means that the crypto signature on your router and the crypto signature in the IPS signature update do not match. This can be the result of an incorrect pubkey in your router configuration or a corrupt signature package. If you transfer the signature update from one computer to another after downloading it from Cisco.com, be sure to do the transfer in binary mode. Transferring the file in ASCII mode will remove various characters from the binary file and make the file unusable. If you have not transferred the file after downloading it from Cisco.com, or you are certain that you have not used ASCII mode to transfer the file, try downloading the file again from Cisco.com. The original download may have been corrupt.


Below is the pubkey to compare with your router configuration:


crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
Quit


Thank you,
Blayne Dreier
Cisco TAC IDS Team


**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

Actions

This Discussion