OTA Connect Developer Guide

Secure your software updates

OTA Connect has a security concept that includes signing metadata files with secure, offline keys. For more information about these files, see the Uptane metadata overview.

How metadata is signed by default

When you create an account on the HERE OTA Connect Portal, all of your Uptane keys and metadata files are managed by OTA Connect. The keys are generated by our crypto service when the account is created and stored in a Vault instance. When you build software images and upload them to your account on the OTA Connect Portal, we generate the metadata and sign it for you.

How metadata should be signed in production

You can rotate your software signing key and take it offline, replacing it with a key held only by you. As only you have the key in this scenario, the OTA Connect server can no longer sign software for you. The metadata files will now be signed locally or on your build machine. The signing happens automatically whenever you push a new software image to OTA Connect. However, you need to update your build configuration first.

It is recommended for all production deployments to rotate the keys because a person who gained access to your OTA Connect account would be able to send arbitrary malicious software to your vehicles. If your software signing key is offline, the maximal impact of an account compromise would be to send an already-signed image—​the one that used to be valid.

Before you use OTA Connect in production, create offline keys that you manage yourself, and then rotate out the default keys that were automatically created for your account on the OTA Connect server. If you don’t do this, you expose yourself to risks that we described in the key management topic. To take your key offline, use the garage-sign command which is part of our garage-deploy tool.