Code signing firmware updates
Posted: Sun Mar 31, 2024 12:15 pm
My project uses the ESP32 chip with software based on AmazonFreeRTOS, and we use Amazon IoT services for internet connectivity.
I am not primarily a firmware developer but I've had to take over the project. At the moment I need to demonstrate the ability to send firmware updates to remote devices using Amazon's OTA update delivery mechanism.
Amazon requires that OTA updates be signed, and this is where I'm running into a problem. The output of the compiler is a binary file (.bin). I know this file is correct because I can load it onto a dev kit using a USB connection. However I cannot figure out how to sign the file.
I tried using Amazon's Code Signer service, which reports "Invalid file format". I also tried using Windows' SignTool command, and got a similar response, "The format cannot be signed because it is not recognized". So it would appear that neither of these tools is able to sign my file because they do not recognize the file type. I don't know what the file type is, or what I'm supposed to use to sign it.
I know my signing certificate is valid because Code Signer will sign a ZIP file with it, and SignTool works on a desktop Windows application that I develop. I also tried using Code Signer with a self-signed certificate as a test.
Any advice would be appreciated, thanks.
I am not primarily a firmware developer but I've had to take over the project. At the moment I need to demonstrate the ability to send firmware updates to remote devices using Amazon's OTA update delivery mechanism.
Amazon requires that OTA updates be signed, and this is where I'm running into a problem. The output of the compiler is a binary file (.bin). I know this file is correct because I can load it onto a dev kit using a USB connection. However I cannot figure out how to sign the file.
I tried using Amazon's Code Signer service, which reports "Invalid file format". I also tried using Windows' SignTool command, and got a similar response, "The format cannot be signed because it is not recognized". So it would appear that neither of these tools is able to sign my file because they do not recognize the file type. I don't know what the file type is, or what I'm supposed to use to sign it.
I know my signing certificate is valid because Code Signer will sign a ZIP file with it, and SignTool works on a desktop Windows application that I develop. I also tried using Code Signer with a self-signed certificate as a test.
Any advice would be appreciated, thanks.