AWS IoT OTA with already signed image

I’m trying to set-up an OTA firmware update job using an already signed image. AWS IoT Job creating wizzard asks for a PEM formatted signature:

Presumably this is a signature of my OTA image and I should be able to get it using e.g. openssl.
The command I’m using is giving me a signature but it’s in binary format.

openssl dgst -sha256 -sign ecdsasigner.key firmware.bin > signature.bin

Any idea how to convert it to PEM or maybe a better way of calculating OTA image signature that will be accepted by AWS?


Please convert signature in base64 encoded form from the binary -

openssl base64 -in signature.bin -out signature.base64

and then copy the content of signature.base64 in the code signature box.

Let me know if you see any issues using this.

Hi @pvyawaha

Thank you for the replay. Converting to base64 worked indeed. Below is a full list of commands to get working signature for pre-signed OTA image.

openssl dgst -sha256 -binary -out hash.bin firmware.bin
openssl pkeyutl -sign -inkey ecdsasigner.key -in hash.bin -out signature.bin
openssl base64 -in signature.bin -out signature.base64

In OTA job setup just paste content of signature.base64 as a single line of text.

1 Like