OTA update on Xavier got some issue

I followed below link to upgrade the L4T from r32.2.1 to r32.4 on AGX Xavier.

https://docs.nvidia.com/jetson/l4t/index.html#page/Tegra%2520Linux%2520Driver%2520Package%2520Development%2520Guide%2Fquick_start.html%23wwpID0E0EB0HA

However, ‘apt update’ got some error.

Err:10 https://repo.download.nvidia.com/jetson/common r32.4 InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004
Err:11 https://repo.download.nvidia.com/jetson/t194 r32.4 InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004

xavier@xavier-desktop:~$ sudo apt update
Get:1 file:/var/cuda-repo-10-0-local-10.0.326 InRelease
Ign:1 file:/var/cuda-repo-10-0-local-10.0.326 InRelease
Get:2 file:/var/visionworks-repo InRelease
Ign:2 file:/var/visionworks-repo InRelease
Get:3 file:/var/visionworks-sfm-repo InRelease
Ign:3 file:/var/visionworks-sfm-repo InRelease
Get:4 file:/var/visionworks-tracking-repo InRelease
Ign:4 file:/var/visionworks-tracking-repo InRelease
Get:5 file:/var/cuda-repo-10-0-local-10.0.326 Release [574 B]
Get:6 file:/var/visionworks-repo Release [1,999 B]
Get:7 file:/var/visionworks-sfm-repo Release [2,003 B]
Get:5 file:/var/cuda-repo-10-0-local-10.0.326 Release [574 B]
Get:8 file:/var/visionworks-tracking-repo Release [2,008 B]
Get:6 file:/var/visionworks-repo Release [1,999 B]
Get:7 file:/var/visionworks-sfm-repo Release [2,003 B]
Get:8 file:/var/visionworks-tracking-repo Release [2,008 B]
Get:10 https://repo.download.nvidia.com/jetson/common r32.4 InRelease [2,552 B]
Get:11 https://repo.download.nvidia.com/jetson/t194 r32.4 InRelease [2,559 B]
Hit:12 Index of /ubuntu-ports bionic InRelease
Get:14 Index of /ubuntu-ports bionic-updates InRelease [88.7 kB]
Get:17 Index of /ubuntu-ports bionic-backports InRelease [74.6 kB]
Get:18 Index of /ubuntu-ports bionic-security InRelease [88.7 kB]
Err:10 https://repo.download.nvidia.com/jetson/common r32.4 InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004
Err:11 https://repo.download.nvidia.com/jetson/t194 r32.4 InRelease
The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004
Get:19 Index of /ubuntu-ports bionic-updates/main arm64 Packages [678 kB]
Get:20 Index of /ubuntu-ports bionic-updates/main arm64 DEP-11 Metadata [301 kB]
Get:21 Index of /ubuntu-ports bionic-updates/universe arm64 Packages [959 kB]
Get:22 Index of /ubuntu-ports bionic-updates/universe arm64 DEP-11 Metadata [274 kB]
Get:23 Index of /ubuntu-ports bionic-backports/universe arm64 DEP-11 Metadata [7,964 B]
Get:24 Index of /ubuntu-ports bionic-security/main arm64 Packages [471 kB]
Get:25 Index of /ubuntu-ports bionic-security/main Translation-en [236 kB]
Get:26 Index of /ubuntu-ports bionic-security/main arm64 DEP-11 Metadata [37.6 kB]
Get:27 Index of /ubuntu-ports bionic-security/universe arm64 Packages [593 kB]
Get:28 Index of /ubuntu-ports bionic-security/universe Translation-en [223 kB]
Get:29 Index of /ubuntu-ports bionic-security/universe arm64 DEP-11 Metadata [44.1 kB]
Reading package lists… Done
W: GPG error: https://repo.download.nvidia.com/jetson/common r32.4 InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004
E: The repository ‘https://repo.download.nvidia.com/jetson/common r32.4 InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://repo.download.nvidia.com/jetson/t194 r32.4 InRelease: The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY 0D296FFB880FB004
E: The repository ‘https://repo.download.nvidia.com/jetson/t194 r32.4 InRelease’ is not signed.
N: Updating from such a repository can’t be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I tried to fix the issue with below method, it failed with complaining keyserver receive failed: No data.

xavier@xavier-desktop:~$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0D296FFB880FB004
Executing: /tmp/apt-key-gpghome.KOCW0beMCs/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 0D296FFB880FB004
gpg: keyserver receive failed: No data

Did I miss anything?

OTA Update is only supported from JetPack 4.3 onwards. 4.2 is unsupported. You’re getting this message because Nvidia’s apt key is not installed on your machine. You could install it, technically, (it’s in the BSP tarball), but this is untested and would probably not work. Recommended you backup and reflash to 4.4, after which OTA updates will work in the future.

Thanks @mdegans. I would like to have a try installing apt key, could you please elaborate how to do that? I downloaded Tegra186_Linux_R32.4.2_aarch64.tbz2, is this the BSP tarball you mentioned?

The device is not in my hand, what I can do is to access it remotely via network. If it’s not possible to do OTA update, it might be a big trouble for me. :(

The issue is I think the boot flow changed in betweeen those releases so even if I did share with you how to do it, it would probably not just not work, but leave your system in a broken state. If you can’t access it becuase it’s a remote device, it’s probably better to leave it at JetPack 4.2 until you can access it again. If you really, really, want to try it, you can try following how this Dockerfile does it (ported to shell below). Please note that this will probably break your particular system (and you will no longer be able to access it). If you still reall want to try it, this untested script might work.:

#!/bin/sh

set -e

SOC="t194"
BSP_URI="https://developer.nvidia.com/embedded/dlc/r32-3-1_Release_v1.0/t210ref_release_aarch64/Tegra210_Linux_R32.3.1_aarch64.tbz2"
BSP_SHA512="13c4dd8e6b20c39c4139f43e4c5576be4cdafa18fb71ef29a9acfcea764af8788bb597a7e69a76eccf61cbedea7681e8a7f4262cd44d60cefe90e7ca5650da8a"

apt-get update && apt-get install -y --no-install-recommends \
        ca-certificates \
        wget \
    && BSP_SHA512_ACTUAL="$(wget --https-only -nv --show-progress --progress=bar:force:noscroll -O- ${BSP_URI} | tee bsp.tbz2 | sha512sum -b | cut -d ' ' -f 1)" \
    && [ ${BSP_SHA512_ACTUAL} = ${BSP_SHA512} ] \
    && echo "Extracting bsp.tbz2" \
    && tar --no-same-permissions -xjf bsp.tbz2 \
    && cp Linux_for_Tegra/nv_tegra/jetson-ota-public.key /etc/apt/trusted.gpg.d/jetson-ota-public.asc \
    && chmod 644 /etc/apt/trusted.gpg.d/jetson-ota-public.asc

echo "deb https://repo.download.nvidia.com/jetson/common r32.4 main" > /etc/apt/sources.list.d/nvidia-l4t-apt-source.list \
    && echo "deb https://repo.download.nvidia.com/jetson/${SOC} r32.4 main" >> /etc/apt/sources.list.d/nvidia-l4t-apt-source.list

apt-get update && apt-get dist-upgrade -y --autoremove

The above must be run with sudo. Please don’t blame me if the above script renders your remote system unbootable (in which case, even bigger trouble for you). That is the most likely outcome, and even if it does work there will probably be unintended consequences (in which case, big trouble for you). Nvidia did not test it this way and neither have I. Please backup anythign important to you first. I’d recommend just staying on 4.2 until you can upgrade. You will still recieve security updates from Canonical for the packages in the Ubuntu repositories.

Thanks @mdegans. If the Xavier cannot be upgraded to JetPack 4.4, it’s almost useless right now unless it with 4.2 it can run Deepstream 5.0 python, it’s not, right?

So I probably would give it a try. I noticed the first command in above script is “apt-get update”, which will run into the apt key issue. I tested it on TX2 device in my hand, it did get blocked by that.

Could you please elaborate how to overcome the apt key issue first?

If you’re interested in DeepStream, you can still run version 4.0, however I think the python bindings are no longer available for it.

Re: apt key: if you remove the changes you made to the apt lists (comment out any lines with Nvidia urls), update should work. The above script will then install the apt key and (if you’re very lucky) may upgrade your system.

on-the-fly upgrade of OS via apt package manager [ e.g. from Jetpack.4.3 to Jetpack 4.4 ] is supported starting Jetpack 4.3.