By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IoT Job Document to match OTA Update

0

Hello,

We are using golang aws sdk v2 to automate creation of OTA update for firmware rollouts. We are using FreeRTOS-Default as the code signing platform.

Noting from the documentation, CreateOTAUpdateInput does not include the option to specify aws job retries or maintenance window, but CreateJobInput does. So we are trying to migrate our use of CreateOTAUpdate to CreateJob.

So far we have been able to start a signing job, create a stream, and generate a job document. But now in order to match the job document generated by CreateOTAUpdate, there is a "sig-sha256-ecdsa" key. What is this value? Can it be derived from the signed object?

Here is the format of job document (details scrubbed):

{
  "afr_ota": {
    "protocols": [
      "MQTT"
    ],
    "streamname": "<stream>",
    "files": [
      {
        "filepath": "/",
        "filesize": <filesize>,
        "fileid": 0,
        "certfile": "Code Verify Key",
        "sig-sha256-ecdsa": "<what is this???>"
      }
    ]
  }
}

Thanks.

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
rePost-User-6269928
asked 10 months ago363 views
1 Answer
1
Accepted Answer

Hi. It's the signature created by CreateOTAUpdate through a call to StartSigningJob. CreateOTAUpdate creates the signing job with the destination being the same bucket as the source file, and putting the object in the SignedImage prefix or folder. CreateOTAUpdate puts two object versions in the same object key: the newer version is the original raw binary file, the older object version is the signed object. This is a JSON file containing the binary in base64 as a payload, and containing the signature. Like this:

{"rawPayloadSize":366816,"signature":"MEUCIDyuNCD5LlP1crNWd/tuqGhLR00YLeXMked9fSDMYYDrAiEAoUM/Z7h4Hr9VmaTxgCJoF+cRA1KZuSXQ3UIRdOQbuFo=","signatureAlgorithm":"SHA256withECDSA","payload":"U0ZVTQEAAQDgkAUAAAAAAOCQBQBye44U047pAAzyQXKlLOlTw3f3TuXyfhtOBdFufo33iHJ7jhTTjukADPJBcqUs6VPDd/dO5fJ+G04F0W5+jfeIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwggJRMIIB ........."}

The signature key holds the value you need for the job document.

Note that the key in the job document should only be sig-sha256-ecdsa if the signing algorithm is SHA256withECDSA.

profile pictureAWS
EXPERT
Greg_B
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content