By using AWS re:Post, you agree to the Terms of Use

Creating IoT OTA update via CLI



I'm trying to create an OTA update job in the manner of FreeRTOS, but having trouble with the AWS CLI. When I create the OTA job via the console UI, the update works as expected. However, when I try to create the job via the CLI, I run into an issue (see below for specific command). The issue appears to be caused by the contents of the Job Document, specifically the "sig-sha256-ecdsa" field. When I create it using the below method, the contents of the field appears to be the decoded base64 binary:

"sig-sha256-ecdsa": "0D\u0002 \r�\u001f\t�M�hj�j}W\\욒��(n5]�i\"\u000b���\nD\u0002 $�\u001b+\u001eV�\u000ed�$�N�(��E؅��\u001et8 ��\u0000\u000f\u001f�"

The documentation for the create-ota-update command states that the "inlineDocument" field of the "signature" object is "A base64 encoded binary representation of the code signing signature". However, it appears that I actually need to double-base64-encode the field - is this correct?

For example, the signature in binary is:

3044 0220 0dee 1f09 d34d eb68 6ab1 6a7d
575c ec9a 929e 8628 6e35 5de9 6922 0bdb
c2c5 0a44 0220 24c5 1b2b 1e56 a10e 6482
24f9 4ec6 28b3 e045 d885 f79e 1e74 3820
f581 000f 1fc0

Base64 encoded once that becomes: MEQCIA3uHwnTTetoarFqfVdc7JqSnoYobjVd6WkiC9vCxQpEAiAkxRsrHlahDmSCJPlOxiiz4EXYhfeeHnQ4IPWBAA8fwA==. This is the value seen below that causes an issue.

Base64 encoded again, this becomes: TUVRQ0lBM3VId25UVGV0b2FyRnFmVmRjN0pxU25vWW9ialZkNldraUM5dkN4UXBFQWlBa3hSc3JIbGFoRG1TQ0pQbE94aWl6NEVYWWhmZWVIblE0SVBXQkFBOGZ3QT09. This value appears to work. Is this the correct way to use the API? When using boto3, what is the proper way to make this call?

Thank you!

Command: aws iot create-ota-update --cli-input-json file://fotaArguments.json

fotaArguments.json contents:

    "otaUpdateId": "ota-test-23",
    "description": "Testing an update",
    "targets": [
    "targetSelection": "SNAPSHOT",
    "files": [
            "fileName": "/path/to/update.bin",
            "fileLocation": {
                "s3Location": {
                    "bucket": "bucket-name",
                    "key": "update.bin"
            "codeSigning": {
                "customCodeSigning": {
                    "signature": {
                        "inlineDocument": "MEQCIA3uHwnTTetoarFqfVdc7JqSnoYobjVd6WkiC9vCxQpEAiAkxRsrHlahDmSCJPlOxiiz4EXYhfeeHnQ4IPWBAA8fwA=="
                    "hashAlgorithm": "SHA256",
                    "signatureAlgorithm": "ECDSA",
                    "certificateChain": {
                        "certificateName": "/path/to/fw_signing_public_key.pem"
    "roleArn": "arn:aws:iam::xxxxx:role/xxxxxxxxxx80D6CF5A-1PZCGRLJ44XJE"
1 Answers

Hi. I hadn't tried to use custom code signing before, but I am able to pass the (once) base 64 encoded string MEQCIA3uHwnTTetoarFqfVdc7JqSnoYobjVd6WkiC9vCxQpEAiAkxRsrHlahDmSCJPlOxiiz4EXYhfeeHnQ4IPWBAA8fwA== to any of the console, CLI or boto3 SDK. All 3 methods create a job with the same job document, containing:

"sig-sha256-ecdsa": "MEQCIA3uHwnTTetoarFqfVdc7JqSnoYobjVd6WkiC9vCxQpEAiAkxRsrHlahDmSCJPlOxiiz4EXYhfeeHnQ4IPWBAA8fwA=="

If I get the OTA job (aws iot get-ota-update) the inline document returned is the twice encoded string:

"signature": {
    "inlineDocument": "TUVRQ0lBM3VId25UVGV0b2FyRnFmVmRjN0pxU25vWW9ialZkNldraUM5dkN4UXBFQWlBa3hSc3JIbGFoRG1TQ0pQbE94aWl6NEVYWWhmZWVIblE0SVBXQkFBOGZ3QT09"

I don't know why that's reencoded. Regardless, I don't see a problem nor any difference between the console, CLI or SDK behaviour.

I'm wondering if you have a problem with the file encoding: . Also what version of the CLI are you using? This is mine:

aws-cli/2.6.1 Python/3.9.11 Linux/5.15.0-41-generic exe/x86_64.ubuntu.20 prompt/off

Could you perhaps try boto3 to see if that works for you? The boto3 script would be similar to:

import boto3

iot = boto3.client('iot')

response = iot.create_ota_update(
    otaUpdateId = 'repost-1',
    targets = ['arn:aws:iot:us-east-1:012345678901:thing/myThing'],
    files = [
            'fileName': '/path/to/update.bin',
            'fileLocation': {
                's3Location': {
                    'bucket': 'bucketName',
                    'key': 'fileName'
            'codeSigning': {
                'customCodeSigning': {
                    'signature': {
                        'inlineDocument': 'MEQCIA3uHwnTTetoarFqfVdc7JqSnoYobjVd6WkiC9vCxQpEAiAkxRsrHlahDmSCJPlOxiiz4EXYhfeeHnQ4IPWBAA8fwA=='
                    'hashAlgorithm': 'SHA256',
                    'signatureAlgorithm': 'ECDSA',
                    'certificateChain': {
                        'certificateName': '/path/to/fw_signing_public_key.pem'
    roleArn = 'arn:aws:iam::012345678901:role/afr-ota-update'
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions