OTA Connect Developer Guide

Rotate keys for Root and Targets metadata

Before you start, make sure that you have installed the garage-sign tool. If you are on a Debian-based Linux distro, you can also install the garage-sign tool with the garage-deploy tool as they are packaged together.

After you rotate keys, you will not be able to upload software images via the OTA Connect web UI. Use BitBake or garage-sign instead.

To rotate the keys:

  1. Create a local image repository.

    garage-sign init --repo myimagerepo --credentials /path/to/credentials.zip

    A ./tuf/myimagerepo/ directory tree is created in the current directory. This directory should be secured on an encrypted filesystem.

  2. Generate new Root and Targets keys.

    garage-sign key generate --repo myimagerepo --name myroot --type rsa
    garage-sign key generate --repo myimagerepo --name mytargets --type rsa
    Keep these keys offline on secure hardware and do not lose them. If you lose the root key for an environment, it will no longer be possible to update software on any devices connected to that environment. Once you rotate your keys offline, you are responsible for keeping them safe. HERE has no ability to recover them for you.
  3. Pull the current targets.json file from OTA Connect.

    garage-sign targets pull --repo myimagerepo
  4. Rotate your online Root key with the new offline key that you created in step 2.

    garage-sign move-offline --repo myimagerepo --old-root-alias origroot \
        --new-root myroot --new-targets mytargets

    A new root.json file is generated, signed, and uploaded to OTA Connect.

  5. Sign the current targets.json file with the new Targets key.

    This metadata expires after a predefined period. If you want to change the metadata expiry period, add the --expires or --expire-after option. For more information, see our guide to managing metadata expiry dates.
    garage-sign targets sign --repo myimagerepo --key-name mytargets
  6. Upload the newly signed targets.json to OTA Connect.

    garage-sign targets push --repo myimagerepo

Your keys for software metadata are now offline.

To learn more about the garage-sign commands and options, see its reference documentation.