IoT Job Document to match OTA Update

Question

Hello,

We are using golang aws sdk v2 to automate creation of OTA update for firmware rollouts. We are using FreeRTOS-Default as the code signing platform.

Noting from the documentation, [CreateOTAUpdateInput](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iot#CreateOTAUpdateInput) does not include the option to specify aws job retries or maintenance window, but [CreateJobInput](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iot#CreateJobInput) does. So we are trying to migrate our use of CreateOTAUpdate to CreateJob.

So far we have been able to start a signing job, create a stream, and generate a job document. But now in order to match the job document generated by CreateOTAUpdate, there is a "sig-sha256-ecdsa" key. What is this value? Can it be derived from the signed object?

Here is the format of job document (details scrubbed):

```
{
  "afr_ota": {
    "protocols": [
      "MQTT"
    ],
    "streamname": "",
    "files": [
      {
        "filepath": "/",
        "filesize": ,
        "fileid": 0,
        "certfile": "Code Verify Key",
        "sig-sha256-ecdsa": ""
      }
    ]
  }
}
```

Thanks.

Accepted Answer

Hi. It's the signature created by `CreateOTAUpdate` through a call to `StartSigningJob`. `CreateOTAUpdate` creates the signing job with the destination being the same bucket as the source file, and putting the object in the `SignedImage` prefix or folder. `CreateOTAUpdate` puts two object versions in the same object key: the newer version is the original raw binary file, the older object version is the signed object. This is a JSON file containing the binary in base64 as a payload, and containing the signature. Like this:

```
{"rawPayloadSize":366816,"signature":"MEUCIDyuNCD5LlP1crNWd/tuqGhLR00YLeXMked9fSDMYYDrAiEAoUM/Z7h4Hr9VmaTxgCJoF+cRA1KZuSXQ3UIRdOQbuFo=","signatureAlgorithm":"SHA256withECDSA","payload":"U0ZVTQEAAQDgkAUAAAAAAOCQBQBye44U047pAAzyQXKlLOlTw3f3TuXyfhtOBdFufo33iHJ7jhTTjukADPJBcqUs6VPDd/dO5fJ+G04F0W5+jfeIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwggJRMIIB ........."}
```

The `signature` key holds the value you need for the job document.

Note that the key in the job document should only be `sig-sha256-ecdsa` if the signing algorithm is SHA256withECDSA.

IoT Job Document to match OTA Update

관련 콘텐츠