Skip to content

feat(ota): Add support for signed binaries #11968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat(ota): Add support for signed binaries #11968

wants to merge 1 commit into from
+2,312 −4

Conversation

@lucasssvaz
Copy link
Member

Description of Change

This pull request introduces secure OTA (Over-The-Air) firmware update capabilities with cryptographic signature verification to the ArduinoOTA library and its examples. The main focus is on enabling devices to only accept firmware that has been signed with an authorized private key, significantly improving security against unauthorized or tampered updates. The changes include new example code, documentation, build workflow updates, and modifications to the ArduinoOTA core to support signature verification.

Key changes:

Secure OTA Signature Verification Support

  • Added support for cryptographic signature verification in the ArduinoOTA library, allowing users to specify a signature verifier (RSA or ECDSA) via the new setSignature() method. This ensures only signed firmware is accepted during OTA updates. [1] [2] [3] [4] [5] [6]

New Example: SignedOTA

  • Introduced a new SignedOTA example, including:
    • SignedOTA.ino: Demonstrates secure OTA with signature verification, configurable for different algorithms and optional password protection.
    • public_key.h: Contains a test RSA public key for demonstration purposes; users are instructed to generate and use their own keys.
    • README.md: Comprehensive instructions for setup, key generation, signing firmware, and troubleshooting.
    • ci.yml: Ensures the example is only built when WiFi support is present.

Build and Workflow Enhancements

  • Updated the build workflow (build_py_tools.yml) to include the new tools/bin_signing.py tool, which is required for signing firmware images as part of the secure OTA process. [1] [2]

These changes collectively add a robust security layer to OTA updates, protecting devices from unauthorized or malicious firmware installations.

Test Scenarios

Tested locally

Related links

Closes #8141

@lucasssvaz lucasssvaz requested a review from me-no-dev as a code owner October 29, 2025 15:52
@lucasssvaz lucasssvaz self-assigned this Oct 29, 2025
@lucasssvaz lucasssvaz added Area: Libraries Issue is related to Library support. Area: Tools & Build System Issue is related to tools and/or the build system Status: Review needed Issue or PR is awaiting review labels Oct 29, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025
edited
Loading

Messages
📖 This PR seems to be quite large (total lines of code: 2316), you might consider splitting it into smaller PRs

👋 Hello lucasssvaz, we appreciate your contribution to this project!

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.
🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.
Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- Addressing info messages (📖) is strongly recommended; they're less critical but valuable.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against e2656bb

@lucasssvaz lucasssvaz requested a review from SuGlider as a code owner October 29, 2025 15:54
@lucasssvaz lucasssvaz force-pushed the feat/ota_sign branch 2 times, most recently from 5517c9b to 59e4a95 Compare October 29, 2025 15:59
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 29, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025
edited
Loading

Test Results

 76 files   76 suites   14m 43s ⏱️
 38 tests  38 ✅ 0 💤 0 ❌
241 runs  241 ✅ 0 💤 0 ❌

Results for commit e2656bb.

♻️ This comment has been updated with latest results.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 29, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025
edited
Loading

Memory usage test (comparing PR against master branch)

The table below shows the summary of memory usage change (decrease - increase) in bytes and percentage for each target.

MemoryFLASH [bytes]FLASH [%]RAM [bytes]RAM [%]
TargetDECINCDECINCDECINCDECINC
ESP32C5000.000.00000.000.00
ESP32P4000.000.00000.000.00
ESP32S3💚 -1600.000.00000.000.00
ESP32S2000.000.00000.000.00
ESP32C3000.000.00000.000.00
ESP32C6000.000.00000.000.00
ESP32H2000.000.00000.000.00
ESP32000.000.00000.000.00
Click to expand the detailed deltas report [usage change in BYTES]
TargetESP32C5ESP32P4ESP32S3ESP32S2ESP32C3ESP32C6ESP32H2ESP32
ExampleFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAM
libraries/ArduinoOTA/examples/BasicOTA000000000000--00
libraries/ArduinoOTA/examples/SignedOTA----------------
libraries/HTTPUpdate/examples/httpUpdate000000000000--00
libraries/HTTPUpdate/examples/httpUpdateSPIFFS000000000000--00
libraries/HTTPUpdate/examples/httpUpdateSecure000000000000--00
libraries/HTTPUpdateServer/examples/WebUpdater000000000000--00
libraries/Update/examples/AWS_S3_OTA_Update000000000000--00
libraries/Update/examples/HTTP_Client_AES_OTA_Update000000000000--00
libraries/Update/examples/HTTP_Server_AES_OTA_Update000000000000--00
libraries/Update/examples/OTAWebUpdater000000000000--00
libraries/Update/examples/SD_Update0000000000000000
libraries/Update/examples/Signed_OTA_Update----------------
libraries/WebServer/examples/HttpAdvancedAuth0000💚 -160000000--00
libraries/WebServer/examples/HttpAuthCallback000000000000--00
libraries/WebServer/examples/HttpAuthCallbackInline000000000000--00
libraries/WebServer/examples/HttpBasicAuth000000000000--00
libraries/WebServer/examples/HttpBasicAuthSHA1000000000000--00
libraries/WebServer/examples/HttpBasicAuthSHA1orBearerToken000000000000--00
libraries/WebServer/examples/WebUpdate000000000000--00

@Jason2866
Copy link
Collaborator

Nice new feature, but it adds 5k of flash usage! Users upgrading from actual core will loose this flash space without knowing why. Furthermore the signing can only be used when a key has been created. So imho it would be better to make this feature default off. Since generating the key needs to be done when wanting to use, setting the flag to activate is no problem.
Doing this way flash "waste" for many users is avoided

@Xylopyrographer
Copy link
Contributor

Must agree with the comment by @Jason2866

Increasing flash usage as new cores are introduced is a real issue. Certainly with OTA configurations. This is an advanced feature that should be "off" by default.

@lucasssvaz lucasssvaz added the Status: Blocked upstream 🛑 PR is waiting on upstream changes to be merged first label Oct 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@me-no-dev me-no-dev Awaiting requested review from me-no-dev me-no-dev is a code owner

@SuGlider SuGlider Awaiting requested review from SuGlider SuGlider is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

@lucasssvaz lucasssvaz

Labels

Area: Libraries Issue is related to Library support. Area: Tools & Build System Issue is related to tools and/or the build system Status: Blocked upstream 🛑 PR is waiting on upstream changes to be merged first Status: Review needed Issue or PR is awaiting review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Code signing for [OTA] Updates

4 participants

@lucasssvaz @Jason2866 @Xylopyrographer