This issue is related to the scenario where we have a standalone 2-tier RAUC PKI :

• An offline-managed Root CodeSigning CA serves as the trust anchor for devices.
• An online-managed Sub CodeSigning CA issues and revokes developer code signing certificates (leafs).

Enabling CRL verification (check-crl=true in config) requires, at the time of installing a bundle, the CRLs of the Root CA and the Sub CA.

However, for CRLs, RAUC does not seem to look in the PEM file passed with --intermediate at the time of bundle generation. The only way seems to be to have the CRL of the Sub CA already present in the target's keyring; otherwise, we get an error "unable to get CRL...".

This behavior seems very limiting because, in the case where the Sub CA is lost (loss of keys), we find ourselves unable to install an update signed with a key (leaf) certified with a new Sub CA. The latter will not be accepted by the target, which does not possess a CRL for the new Sub CA in its keyring.

Workaround
As a workaround, we proceed as follows:

Offline backup of the Sub CA keys.
In the event that the Sub CA is compromised, publish and install an update signed with the compromised CA that:
updates the CRL of the root CA in the keyring (CRL that revokes the compromised Sub CA)
adds the CRL of a new Sub CA to the keyring

The expected behavior would be for RAUC to fetch the CRL of the intermediate CA passed with --intermediate in the same PEM file provided with --intermediate. This would allow directly passing an update signed with keys certified by a new, intact Sub CA if the Sub CA has been compromised. The offline-managed Root CA could then properly play its role as the sole trust anchor.

Does this issue seem relevant to you?