Where to find the root keys for ADU JWS authentication? #2904
Comments
github-actions
bot
added
customer-reported
|
Any reason there is no updates on this topic? we are just few months away from expiry. |
|
@florianhumblot @prayassamriya I am no longer a maintainer of this project. That said, keys are not part of the SDK, they should come from the service. |
|
@prayassamriya thanks for filling the issue, we are tracking this work item. |
|
Gentle Reminder !!! |
|
@ewertons considering the tokens are supposed to rotate by May 2025, I feel like it might be wise to prioritize this before customers can no longer authenticate JWS! |
|
Hi. Apologies for the delay and lack of response (I was just sent this link and had not seen it previously). I am the PM owner for the Device Update for IoT Hub security story, including the upcoming root key rotation. We are a little bit behind in releasing both documentation and the new root key that will replace the one being rotated out, but anticipate those to be available in the next 2-3 weeks. The documentation will include a temporary mechanism for any customer to import a special update which will be signed with the new root key that will be used starting in May. This way, you'll be able to confirm the exact behavior of any of your devices in advance of the actual root key rotation. One note on this:
The default implementation of the Device Update agent has two root keys present. This is so that a rotation event like this one does not disrupt the device's ability to continue to receive updates, even if that device is not updated frequently. The second key (ADU.200703.R) has not been used by the Device Update team for validation in our production service, and will be the one we will start signing with in May. Our expectation, then, is that no devices will be impacted will be impacted by the May 2025 rotation unless the implementation on a device currently omits that second root key. Our goal in making the information available several months in advance of the rotation is to allow our customers to test whether their devices might be in that state for some reason, and if so, update their devices to include all valid root keys. But by default, the May rotation should not cause devices to be unable to authenticate the update manifest. |
|
Thanks @andrewbrownmsft . When the new key (ADU.200703.R) to be rotated. I heard that this will be 2028. Could you please let me know. also please share the documentation and test process here( as soon as its ready) to help us confirm that After May 2025, The migration to new key will happen seamlessly for on field device. |
We have not yet announced a rotation timeframe for the new key. Our overall intent is to rotate approximately every 2.5 years, so I would not expect it to be to be earlier than 2028. |
Thank you. I will wait for more information/documentation related to pre-validating ADU.200703.R signed manifest to verify seamless migration after May 2025. Thanks again. |
Query/Question
The Azure SDK samples for device updates with ADU contain two root keys for JWS authentication. The key IDs are "ADU.200702.R" and "ADU.200703.R".
I have two questions:
I found this PR comment saying that there is an internal issue for this, but I haven't been able to find any updates.
Why is this not a Bug or a feature Request?
A clear explanation of why is this not a bug or a feature request?
Setup (please complete the following information if applicable):
Information Checklist
Please make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: