Code signing firmware updates

Frank LaRosa
Posts: 3
Joined: Tue Feb 20, 2024 4:24 pm

Code signing firmware updates

Postby Frank LaRosa » Sun Mar 31, 2024 12:15 pm

My project uses the ESP32 chip with software based on AmazonFreeRTOS, and we use Amazon IoT services for internet connectivity.

I am not primarily a firmware developer but I've had to take over the project. At the moment I need to demonstrate the ability to send firmware updates to remote devices using Amazon's OTA update delivery mechanism.

Amazon requires that OTA updates be signed, and this is where I'm running into a problem. The output of the compiler is a binary file (.bin). I know this file is correct because I can load it onto a dev kit using a USB connection. However I cannot figure out how to sign the file.

I tried using Amazon's Code Signer service, which reports "Invalid file format". I also tried using Windows' SignTool command, and got a similar response, "The format cannot be signed because it is not recognized". So it would appear that neither of these tools is able to sign my file because they do not recognize the file type. I don't know what the file type is, or what I'm supposed to use to sign it.

I know my signing certificate is valid because Code Signer will sign a ZIP file with it, and SignTool works on a desktop Windows application that I develop. I also tried using Code Signer with a self-signed certificate as a test.

Any advice would be appreciated, thanks.

Frank LaRosa
Posts: 3
Joined: Tue Feb 20, 2024 4:24 pm

Re: Code signing firmware updates

Postby Frank LaRosa » Mon Apr 01, 2024 4:16 am

As a followup, I figured out that I was trying to sign a file which was already signed by the build process. I'm able to send this file without signing it again. I'm also able to build an unsigned version, then sign it through an AWS signing function, and send that.

In both cases, the OTA update arrives at the device and is then rejected with "Signature verification failed". The error comes from ota_pal_cgp.c:454.

What I think is going on is that the existing binary on the device is trying to decode the incoming OTA update using a key that is embedded in it, and that fails because I haven't signed it with the matching certificate. I'm now searching for that key in the source code but I cannot seem to find it. Does anyone know what I should be looking for?

Thanks,
Frank

Who is online

Users browsing this forum: No registered users and 102 guests