OTA Failed with Signature verification Failed error

pkrishnantrey · October 25, 2021, 7:03am

Hi,
I am using STM32L4R9ZIT6 controller with EC20 for LTE connectivity.
I have been working on OTA Library and facing an issue with the Signature failed error.
When I am creating OTA job in AWS IOT core, with one of the firmware version in AWS JOBS OTA update is working fine however when I am uploading next version with the same code signing profile and certificate(on device), OTA update failed with error Signature verification failed.
Do I need different code Signing profile every time for a new Firmware version.

ravibhagavandas · October 28, 2021, 5:24pm

Hello,

So, If I understand correctly, OTA update works if you select Choose a Previously signed Image from the console, but throws a signature verification error when selecting Sign a new file for me. from the console. Is that correct?
If so, did you make sure the signing profile is same from console and the certificate is same on the device for both the jobs?
How is the certificate provisioned on the device ?
Could you provide the job document and logs from device for success and failure case?

Do I need different code Signing profile every time for a new Firmware version.
You need to create a code signing profile only once, and can use it for multiple firmware updates.

pkrishnantrey · October 29, 2021, 8:00am

Hello Ravishankar.
Yes That is right.
I am using the same signing profile for both of the versions and certificate is hard coded in Controller.
Best Regards
Pankaj

ravibhagavandas · November 1, 2021, 6:44am

As stated before could you share the logs from the device for the success and error scenarios ?

Additionally could you verify the signing profile used to create the signing job by dumping it via cli. You can use the following command to dump the signing profile:

aws signer get-signing-profile --profile-name=<your signing profile name>

From the output verify that signing profile status is Active, uses the same signing mechansim as supported by the device verification, for example: SHA256-ECDSA.

If the certificate is hard coded in code make sure that its properly formatted as PEM string constant, and additionally matches the certificate specified in signing profile. To get the certificate from signing profile look for certificateArn field in the command output and use the ARN to get the actual certificate as below:

aws acm get-certificate --certificate-arn=<certificate ARN obtained from signing profile output>