search

SrPatinhas / smarthalo-firmware

22 stars 5 forks source link

Firmware signing keys #1

Open charliebruce opened 1 year ago

charliebruce commented 1 year ago

Thanks so much for taking the time to share this with the public! Would be great to save these devices from being e-waste.

For us to be able to release firmware updates without needing the device to be disassembled, we need the signing key (usually called "private.pem"). This is the key that the bootloader uses to verify the firmware against - if the code isn't signed, the device will reject the firmware update.

Are you able to share this key publicly, to enable anyone to perform firmware updates on their device without requiring disassembly? As I understand it, you need the device password to trigger an update wirelessly, so sharing the firmware signing key doesn't compromise the anti-theft model.

SrPatinhas commented 12 months ago

@charliebruce I have some signing keys, but I cant pass them. We may want to just create some server that can publish any new firmware version and use the keys that I have

charliebruce commented 12 months ago

@charliebruce I have some signing keys, but I cant pass them. We may want to just create some server that can publish any new firmware version and use the keys that I have

That could work - but creates additional friction to the development process (need an internet connection, and to wait for a CI job to complete before being able to flash firmware OTA).

Do you know why they asked for the keys to not be published publicly? As I understand it, releasing the keys doesn't really compromise the anti-theft model, all it does is restrict who/how firmware can be pushed to devices.

I can quite easily set up a CI pipeline for the firmware, but I won't be able to test it without access to the keys.

Would you be able to set the keys up as base64-encoded secrets on this repo, and give me push access?

charliebruce commented 12 months ago

Specifically I'd suggest something like this:

  1. Encode the key: cat private.pem | base64 > private.b64
  2. Paste the contents of private.b64 into a GitHub Secret, eg FIRMWARE_SIGNING_KEY. May need multiple entries depending on if they reused or created new keys for each iteration.
  3. The CI script will reconstruct the signing keys using the reverse: echo $FIRMWARE_SIGNING_KEY | base64 --decode > ~/private.pem
  4. The CI process can go on to build, sign and publish a release using this key, without the local developer having access.
  5. The repo should be set up to prevent new contributors from running Actions until they've been approved. (This prevents someone creating a PR designed just to leak the keys).
SrPatinhas commented 12 months ago

sure, I can do that! Well, related to the why they asked for not share the keys, it was probably only the API keys and stuff like that, But I preferred to stay safer and remove those as well, just to prevent any later issues. But I will try to follow your suggestions and put them in the github repo