Upgrade fails with signature invalid due to incomplete fetch of packages tar

[shaun90]

I was getting a failure upgrading from 25.1 to 25.7 when fetching the packages-25.7-amd64.tar with the error "signature invalid".

The /var/cache/opnsense-upgrade directory shows that the tar was downloading to ~99% of its intended size and then moving onto the verification step. After downloading the tar on a different machine with wget did I get some answers. In my case, the tar briefly stop downloading at ~99% and receive a "206 Partial Content", wget then automatically retries to recover and successfully completes the download.

I worked around the issue with the OPNsense upgrade by opening the file /usr/local/sbin/opnsense-update, editing the line starting STAGE2 and inserting -a on the opnsense-fetch function. The -a instructs fetch to retry on soft failures.

The root cause is likely an ISP issue on my end, but I wanted to post the problem and workaround here just in case it helps others.

[connervt]

Or perhaps today's Cloudflare issue?

[shaun90]

Or perhaps today's Cloudflare issue?

It could be related, but I think it has more to do with the cellular broadband connection doing something bad. It was consistently broken after 10 attempts. I also found out after posting here that the smaller "base" tar as part of the upgrade from 25.7.0 -> 25.7.7 needed the same workaround.