ESP32 OTA + Code Signature - E (###) ota_pal: signature verification failed

AdrianL wrote on October 10, 2018:

I have followed the OTA setup procedures for the ESP32 with much success but am having issues with the code signature verification. I am able to successfully download all of the blocks but the update is failed due to the following error:

E (5320617) ota_pal: signature verification failed

The problem stems from a lack of understanding of how we are intended to properly integrate the signature keys into the esp firmware build for verification. I have created the code sign certificate following this [https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-esp.html].

I then included the cert that I created into aws_ota_codesigner_certificate.h as outlined here [https://docs.aws.amazon.com/freertos/latest/userguide/ota-download-freertos.html]. I followed the same formatting as recommended for the Microchip Curiosity PIC32MZEF with the new lines as quotes. So that it looked like the following:

static const char signingcredentialSIGNING_CERTIFICATE_PEM[] = “-----BEGIN CERTIFICATE-----/n”
“MIIBVjCB/aA######################################################wwT/n”
“YWRyaWF######################################################EwMTAyMDUy/n”
“NDFaMB4######################################################OPQIB/n”
“Bggqh######################################################DnB96Klxx92P/n”
“Lc/fPu######################################################Q8EBAMCB4Aw/n”
“EwY######################################################1hDe/n”
“Cip1######################################################r/6U/n”
“w##########H1Q==/n”
“-----END CERTIFICATE-----”;

(I have replaced most of the key here with a random number of hashes for obvious reasons)

I have also tried the key as a single line with similar results.
My best guess as to what is going wrong is that I do not know what the proper “Pathname of code signing certificate on device” is when creating a code signing profile for the IOT job for the ESp32. I have tried “ecdsasigner.crt”, “/”, and “signingcredentialSIGNING_CERTIFICATE_PEM.”

Similarly, I put “/” for the “Pathname of firmware image on device.” I assume that any input here would be okay since it is just needed to allow me to click next (the box should be optional in the form but it is not).

Any help would be much appreciated. I can also provide any additional information that is pertinent. Thanks!

AdrianL wrote on October 11, 2018:

Face-palm…
The escape new line characters were the wrong direction. Working now.

tmann wrote on December 23, 2018:

I am getting the signature verification failed also. I have triple checked the procedure. I believe the signingcredentialSIGNING_CERTIFICATE_PEM[] constant I’m using is OK.
When you had success, which code signing platform did you use when creating the OTA job? (ESP-WROVER-KIT or ESP32-DevKitC). I’m unclear why they would be different - they are both SHA256WITHECDSA.
Did using “/” as the “Pathname of firmware image on device.” work OK? (I also assume it doesn’t matter).
Do you have other suggestions for things I should check or verification I should do?
I am using a ESP32 version 0 (over a year old) - would the version make a difference? What hardware did you run your OTA on?
Thanks in advance.

tmann wrote on December 24, 2018:

User error: the was_demo.bin I had loaded to do the OTA with (version 0.9.2) didn’t have the certificate configured in the .h file. The signature in the bin file that was downloaded (version 0.9.3) was fine.
The OTA upgrade works fine with a v0 version of the ESP on custom hardware using the ESP32-DevKitC signing profile.

couper321 wrote on April 03, 2019:

What did you end up using for your “Pathname of code signing certificate on device” in the Create a code signing profile just a “/” ?

EDIT: Mine ending up working with a “/” for the pathname, as the code is designed to find the aws_ota_codesigner_certificate.h file, so make sure the signingcredentialSIGNING_CERTIFICATE_PEM[] const has your signing certificate in correct syntax as that’s where my issue was.

TiglathIII wrote on June 05, 2019:

I can confirm that the “Pathname of code signing certificate on device” should be set to “/” and I also set the “Pathname of firmware image on device” to “/” just for good measure.

Your aws_ota_codesigner_certificate.h file must also be hand edited with your code signing certificate and that you must put double quotes (") around each separate line and add "
"
to the end of each line. Also, don’t forget the semi-colon at the end.

static const char signingcredentialSIGNING_CERTIFICATE_PEM[] = "-----BEGIN CERTIFICATE-----
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx==
"
"-----END CERTIFICATE-----
";

prasadvya wrote on June 05, 2019:

Hi,

You can use the script PEMfileToCString.html in the tools folder to convert a PEM file in C string instead of hand editing it. This will avoid any unwanted changes that might fail the cert parsing which can result in code signature verification failure.

Thanks.

TiglathIII wrote on June 06, 2019:

Cool, thanks