0

I inherited an ESP-32 firmware project based on AmazonFreeRTOS. I know how to build it but I'm not extremely familiar with this kind of programming.

The other developer never created a signing key intended for production, but there is a "developkey.pem" file in with the source code. Unfortunately the company has already distributed units of the project built with this key. I need to validate that we can perform OTA updates.

Whenever I try to send such an update, the device receives it but won't install it. The error says "Signature verification failed".

In my source code there are two build scripts, one that is supposed to build a signed version and one unsigned. Initially I was building the signed version and sending that. Later I tried building the unsigned version and signing it with the AWS signer using a code signing certificate (one that is unrelated to the rest of the project). Both things failed.

I know that the failure occurs in a function called "CRYPTO_SignatureVerificationFinal" but I don't know why.

I'm probably missing some fundamental concept here. Does a new build need to be code signed with the same certificate as the old build, or does it just require a valid code signature? Is the failure message even due to the code signing or is it objecting to something else? Does a build even need to be signed in order to be delivered this way?

It's possible that the 'developkey.pem' file I have is not the same one that was used to make the build that ended up on the units. However, I have been able to take one of my updated builds and load it onto the device through the serial port, which I think means that the signature is good, otherwise the secure bootloader wouldn't accept it (I might be wrong about how this works though).

Thanks for your help.

Improve this question
6
  • To answer your first question - yes, you need to sign the code for the device to trust the update. A direct installation through the serial port bypasses that process so that's immaterial in your case. You will need the correct code signing profile and certificate or create a new one. Are you following the steps mentioned here - docs.aws.amazon.com/freertos/latest/userguide/… Commented Mar 31, 2024 at 23:25
  • I tried following both these instructions and a similar set of instructions left by the previous developer which use the aws cli utility. Same result either way. I'm concerned that I simply do not have the correct signing key. My understanding is that there is a public key somewhere in the firmware that is used to decode the OTA update, but I can't figure out where that is in the source code. I also don't really know what the path names are or the hash method. I'm trying to find this out by reading the code, but it's not obvious. Commented Apr 1, 2024 at 4:00
  • I think that if I locate the public key that the existing code is using to decode the incoming update, that would at least tell me if I have the right private key. I have searched around quite a bit for anything that looks like a key file or a constant in the source code that looks like it could be a key, but I haven't found anything. Commented Apr 1, 2024 at 4:06
  • hmm.. I think these are short lived certificates and they do expire. You might need to use IoT Jobs to trigger a signing certificate update. Also, I don't think it's the code that pulls it. It should be the firmware (I'm being cautious of not using an incorrect term here). But surely not the code itself. Think of it as an update to the mobile app store. It's the iOS (or the platform) that tells that there is an update and signed (and not the actual app itself). You need similar code signing certificates on all app stores. Commented Apr 1, 2024 at 4:51
  • So is my update failing because I don't have the right signing certificate, or is it failing because I don't have a valid signing certificate? This is where I'm confused. Commented Apr 1, 2024 at 14:25
Related questions
1
How to implement code-signing with FreeRTOS OTA and AWS
3
Creating things on Amazon IoT Core
2
AWS IoT Python Device SDK Shadow Update Timeouts
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.