Originally introduced as part of the OneFS 9.4 security enhancements, signed upgrades help maintain system integrity by preventing a cluster from being compromised by the installation of maliciously modified upgrade packages. This is required by several industry security compliance mandates, such as the DoD Network Device Management Security Requirements Guide, which stipulates “The network device must prevent the installation of patches, service packs, or application components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization”.
With signed upgrades, all packages must be cryptographically signed before they can be installed. This applies to all upgrade types including core OneFS, patches, cluster firmware, and drive firmware. The underlying components that comprise this feature include an updated .isi format for all package types plus a new OneFS Catalog to store the verified packages. The actual upgrades themselves are still performed via either the CLI or WebUI, and are very similar to OneFS 9.3 and earlier.
Under the hood, the signed upgrade process works as follows:
Everything goes through the catalog, which comprises four basic components. There’s a small SQLite database that tracks metadata, a library which has the basic logic for the catalog, the signature library based around OpenSSL which handles all of the verification, and a couple of directories to store the verified packages.
With signed upgrades, there’s a single file to download that contains the upgrade package, README text, and all signature data, and no file unpacking required.
The .isi file format is a follows:
A ‘readme’ text file can be incorporated directly in the second region of the package file, providing instructions, version compatibility requirements, etc.
The first region, which contains the main package data, is also compatible with previous OneFS versions that don’t support the .isi format. This allows a signed firmware or DSP package to be installed on OneFS 9.3 and earlier.
The new OneFS catalog provides a secure place to store verified .isi packages, and only the root account has direct access. The catalog itself is stored at /ifs/,ifsvar/catalog and all maintenance and interaction is via the ‘isi upgrade catalog’ CLI command set. The contents, or artifacts, of the catalog each have an ID which corresponds to the SHA256 hash of the file.
Any user account with ISI_PRIV_SYS_UPGRADE privilege can perform the following catalog-related actions, expressed as flags to the ‘isi upgrade catalog’ command:
| Action | Description |
| Clean | List packages in the catalog |
| Export | Save a catalog item to a user specified file location |
| Import | Verify and add a new .isi package file into the catalog |
| List | List packages in the catalog |
| Readme | Display the README text from a catalog item or .isi package file |
| Remove | Manually remove a package from the catalog |
| Repair | Re-verify all catalog packages an rebuild the database |
| Verify | Verify the signature of a catalog item or .isi package file |
Package verification leverages the OneFS’ OpenSSL library, which enables a SHA256 hash of the manifest to be verified against the certificate. As part of this process, the chain-of-trust for the included certificate is compared with contents of the /etc/ssl/certs directory, and the distinguished name on the checked against /etc/upgrade/identities file. Finally, the SHA256 hash of the data regions is compared against values from manifest.
The signature can be checked using the ‘isi upgrade catalog verify’ command. For example:
# isi upgrade catalog verify --file=OneFS_v9.10.1.2_LTS2025_Install.isi Item Verified ----------------------------------------------------------------- /ifs/install_bundle/OneFS_v9.10.1.2_LTS2025_Install.isi True ----------------------------------------------------------------- Total: 1
Additional install image details are available via the ‘isi_packager view’ command
# isi_packager view --package=OneFS_v9.10.1.2_LTS2025_Install.isi == Region 1 == Type: OneFS Install Image Name: OneFS_Install_0x90A015000200002_B_LTS_MR_9_10_1_2_002(RELEASE) Hash: d89dd8bd4bb8940a3ab3ad07921ba43a3085381f1052ce246f3a6f2162df97d8 Size: 421828358 == Footer Details == Format Version: 1 Manifest Size: 296 Signature Size: 2958 Timestamp Size: 5935 Manifest Hash: a8654d8c038781b2b2c955009d7b5923a2645ac3267a23bbf01d342b854eea24 Signature Hash: dc68c1ea27e952736ba9f110ce91fec339a5b08beba5da0b4480c08b73367b35 Timestamp Hash: 1b082db2cd6a34ad0984768f0525cc4527e1252bb92d67fc6788cabce47f3010 == Signature Details == Fingerprint: 1a000fd963abc7620ea815fab56efa25f621c47e Issuer: Entrust Code Signing CA - OVCS2 Subject: US / Texas / Round Rock / Dell Technologies Inc. Organization: Dell Technologies Inc., Powerscale OneFS Expiration: 2025-08-13 09:39:50+00:00 Ext Key Usage: codeSigning
Packages in the catalog can be listed as follows:
# isi upgrade catalog list ID Type Description README ----------------------------------------------------- af135 OneFS OneFS 9.10.1.2_build(2)style(5) - e46ad DSP Drive_Support_v1.53 - e7f72 NFW IsiFw Package v12.4.2 2024-12-18 Included ----------------------------------------------------- Total: 3
Note that the package ID is comprised from first few characters of SHA256 hash
Packages are automatically imported when used, and verified upon import. Verification and import can also be performed manually, if desired:
# isi upgrade catalog verify --file /ifs/install_bundle/IsiFw_Package_v12.4.2.tar Item Verified ------------------------------------------------------- /ifs/install_bundle/IsiFw_Package_v12.4.2.tar True ------------------------------------------------------- Total: 1 # isi upgrade catalog import IsiFw_Package_v12.4.2.tar
Packages can also be exported from the catalog and copy to another cluster, for example. Generally, exported packages can be re-imported, too.
# isi upgrade catalog list ID Type Description README ----------------------------------------------------- af135 OneFS OneFS 9.10.1.2_build(2)style(5) - e46ad DSP Drive_Support_v1.53 - e7f72 NFW IsiFw Package v12.4.2 2024-12-18 Included ----------------------------------------------------- Total: 3 # isi upgrade catalog export --id af135 --file /ifs/data/OneFS_v9.10.1.2_LTS2025_Install.isi
However, auto-generated OneFS images cannot be reimported.
The README column of the ‘isi upgrade catalog list’ output indicates whether release notes are included for a .isi file or catalog item. If available, these can be viewed as follows:
# isi upgrade catalog readme --file /ifs/install_bundle/IsiFw_Package_v12.4.2.tar Node Firmware Package
Within a readme file, details typically include a short description of the artefact, and also which minimum OneFS version the cluster is required to be running for installation.
Cleanup of patches and OneFS images is performed automatically upon commit, and any installed packages require the artefact to be present in the catalog for successful uninstall. Similarly, the committed OneFS image is required for both patch removal and cluster expansion via node addition.
Artifacts can be removed manually as follows:
# isi upgrade catalog remove --id 840b8 This will remove the specified artifact and all related metadata. Are you sure? (yes/[no]): yes
However, always use caution if attempting to manually removing a package.
When it comes to catalog housekeeping, the ‘clean’ function will remove any catalog artifact files without database entries, although normally this happens automatically when an item is removed.
# isi upgrade catalog clean This will remove any artifacts that do not have associated metadata in the database. Are you sure? (yes/[no]): yes
Additionally, the catalog ‘repair’ function will rebuild the database and re-import all valid items, as well as re-verifying their signatures:
# isi upgrade catalog repair This will attempt to repair the catalog directory. This will result in all stored artifacts being re-verified. Artifacts that fail to be verified will be deleted. Additionally, a new catalog directory will be initialized with the remaining artifacts. Are you sure? (yes/[no]): yes
When installing a signed upgrade, firmware or drive support package (DSP) on a cluster running OneFS 9.4 or later, the command syntax used is fundamentally the same as in prior OneFS versions, with only the file extension itself having changed. The actual install file will have the ‘.isi’ extension, and the file containing the hash value for download verification will have a ‘.isi.sha256’ suffix. For example, take the v1.53 drive support package files:
- Drive_Support_v1.53.tar
- Drive_Support_v1.53.tar.sha256
The following syntax can be used to initiate a parallel OneFS signed upgrade:
# isi upgrade start --install-image-path /ifs/install.isi -–parallel
Alternatively, if the desired upgrade image package is already in the catalog, it can be installed using the ‘—install-image-id’ flag instead:
# isi upgrade start --install-image-id 00b9c –parallel
Or to upgrade a cluster’s firmware:
# isi upgrade firmware start --fw-pkg /ifs/IsiFw_Package_v12.4.2.isi –-rolling
And upgrading a cluster’s firmware using the ID of a package that’s in the catalog:
# isi upgrade firmware start --fw-pkg-id cf01b -–rolling
To initiate a simultaneous upgrade of a patch:
# isi upgrade patches install --patch /ifs/patch.isi -–simultaneous
And finally, to initiate a simultaneous upgrade of a drive firmware package:
# isi_dsp_install Drive_Support_v1.53.1.isi
Note that patches and drive support firmware are not currently able to be installed by their package IDs.
The current version of node firmware that a cluster is running can be determined by viewing the contents of the isi_hwmon file, located in a log set under each node’s root path. Ie: <node-lnn>/isi_hwmon
--- FirmwareCheck Diagnostics --- Packages: IsiFw_Package_v12.4.2.tar Drive_Support_v1.53.1.tgz
Similarly, there is a JSON file in a cluster’s log gather that holds all the firmware versions of the components on the system, in addition to the firmware package used to install the firmware. This file is located on each node under the path:
<node-lnn>/upgrade_local.tar/var/ifs/upgrade/firmware_status.json
A committed upgrade image from the previous OneFS upgrade is automatically saved in the catalog, and also created automatically when a new cluster is configured. This image is required for new node joins, as well as when uninstalling patches. However, it’s worth noting that auto-created images will not have a signature and, while they may be exported, they cannot be re-imported back into the catalog.
In the event that the committed upgrade image is missing, CELOG events will be generated and the ‘isi upgrade catalog repair’ command output will display an error. Additionally, when it comes to troubleshooting the signed upgrade process, it can pay to check both /var/log/messages and /var/log/isi_papi_d.log, as well as to the OneFS upgrade logs .