Invalid Signature

[ArkajyotiChatterjee]

Hello. I am trying to call the arduino create agent plugin from my localhost to upload a hex file to my arduino. I generated a pair of public and private keys and updated the public key in the config.ini file. Then I am generating the signature of my commandline using my private key and then I am updating the same on the js code. But still when I run the code, I am getting "Signature is Invalid". Any ideas as to what I am doing wrong. I am pasting the json payload I am trying to upload .

var abcData = {
           "board":"arduino:avr:uno",
           "port":"COM18",
           "commandline":"\"C:\Program Files(x86)\Arduino\hardware\tools\avr/bin/avrdude -CC:\Program Files (x86)\Arduino\hardware\tools\avr/etc/avrdude.conf -v -patmega328p -carduino -PCOM15 -b115200 -D -Uflash:w:C:\Users\ChatteAr\AppData\Local\Temp\arduino_build_876546/flasher_tryout.ino.hex:i\"",
           "signature":"uJsl8iXd9hNsA6ExtE7msUGaP1/9KU+Yx...." ,
          "hex":"EAAAAAyUXQAMlIUADJSFAAyUhQCEEAAQAAyUhQAMlIUADJSFAAyUhQBMEAAgAAyUhQAMlIUAD.....",
           "filename":"flasher_tryout.ino.hex",
		   "extra":{
              "auth":{
			     "username":null,
                 "password":null,
				  "privatekey":null,
				   "port":null
                },
              "wait_for_upload_port":false,
              "use_1200bps_touch":false,
              "network":false,
              "params_verbose":null,
              "params_quiet":null,
              "verbose":false ,
			  "ssh":false}
        
    };
url= "http://localhost:8991/upload";

[facchinm]

Hi @ArkajyotiChatterjee ,
the procedure looks good. @matteosuppo we don't need to sign anything except the commandline right now, correct?

[matteosuppo]

Yes, only the commandline. The key should be crypto.SHA256.

[ArkajyotiChatterjee]

Hi @facchinm , @matteosuppo , for testing purposes I was using openSSL from my GIT Bash to generate the key pair and sign the commandline. The codes are as follows:
`openssl genrsa -out private.pem 2048 // private key

openssl rsa -in private.pem -outform PEM -pubout -out public.pem //public key(used in config.ini)

echo ""{runtime.tools.avrdude.path}/bin/avrdude" "-C{runtime.tools.avrdude.path}/etc/avrdude.conf" {upload.verbose} -patmega32u4 -cavr109 -P{serial.port} -b57600 -D "-Uflash:w:{build.path}/{build.project_name}.hex:i"" | openssl dgst -sha256 -sign private.pem -out /tmp/sign.sha256
//signing the commandline

openssl base64 -in /tmp/sign.sha256 -out sign_commndline // the signature file`

Still I am getting the error"Signature is Invalid". Any ideas as to exactly what I am missing?

[ArkajyotiChatterjee]

Hey guys,any help would be appreciated a lot.

[matteosuppo]

The only thing that comes to mind it that maybe the quotes are being escaped.

You could try with the following go code:

import (
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/pem"
)
func sign(message []byte, key []byte) ([]byte, error) {
	block, _ := pem.Decode(key)
	if block == nil {
		return nil, errors.New("While decoding key " + string(key))
	}
	rng := rand.Reader
	private, err := x509.ParsePKCS1PrivateKey(block.Bytes)
	if err != nil {
		return nil, errors.New("While parsing key "+ key)
	}

	hashed := sha256.Sum256(message)
	signature, err := rsa.SignPKCS1v15(rng, private, crypto.SHA256, hashed[:])
	if err != nil {
		return nil, errors.New("While signing message "+message+" with key " + private)
	}

	return signature, nil
}

and see if the generated signature is the same

[kosciuk]

I don't know the entire process but if I run --generateCert all keys are ECDSA,I think the signature must be made with key.pem, but the function verifyCommandLine seems to use a RSA in line 216:
key.(*rsa.PublicKey)

Log

http2: panic serving 127.0.0.1:43880: interface conversion: interface {} is *ecdsa.PublicKey, not *rsa.PublicKey
goroutine 156 [running]:
net/http.(*http2serverConn).runHandler.func1(0xc420206038, 0xc4205dbfaf, 0xc420348000)
/usr/lib/go-1.10/src/net/http/h2_bundle.go:5753 +0x190
panic(0xb52080, 0xc4202008c0)
/usr/lib/go-1.10/src/runtime/panic.go:502 +0x229
main.verifyCommandLine(0xc42012e540, 0xd4, 0xc4200923f0, 0x61, 0x6, 0x414038)
/home/kosciuk/go/src/github.com/arduino/arduino-create-agent/conn.go:215 +0x2c4

[matteosuppo]

The certificates generated with --generateCert are only used for ssl, they are not used to sign the commandline

[kosciuk]

Ups! I used key.pem to sign. I ' ll try generating my own RSA, but with ECDSA I can't verify the signature until I generated it with Python [0], maybe there is a problem with signing with openssl.

[0] https://thanethomson.com/2018/11/30/validating-ecdsa-signatures-golang/

[matteosuppo]

It shouldn't be possible to verify a signature with a ecdsa key, since it expects an rsa public key

[kosciuk]

Not if I add a new function for that :P, I tried again with RSA and the problem was that

openssl base64 -in /tmp/sign.sha256 -out sign_commndline

is wrong since the code expect the signature in hex:

func verifyCommandLine(input string, signature string) error {
    sign, _ := hex.DecodeString(signature)

I couldn't create the signature with openssl or Python, then I used the example in https://stackoverflow.com/questions/20655702/signing-and-decoding-with-rsa-sha-in-go. The digest was the same in Python - Go, but the signature didn't match (using pip install rsa)

Update:

Finally... how to make the signature:

#!/usr/bin/env python

from base64 import (
    b64encode,
    b64decode,
)

from Crypto.Hash import SHA256
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA

digest = SHA256.new()
digest.update(b'"{runtime ... [complete with your command line] ... }.hex:i"')

with open ("rsakey.pem", "r") as myfile:
    private_key = RSA.importKey(myfile.read())

signer = PKCS1_v1_5.new(private_key)
sig = signer.sign(digest)

print(sig.encode("hex"))

Hope this helps, @ArkajyotiChatterjee

[ProgrammingElectronics]

I seem to be stuck at this signature point as well and I am trying to just see if I can get the Arduino Create Agent to recognize a valid signature.

I am using openssl to generate the private and public keys:

### Create a private key
openssl genrsa -out private_24MAR25_B.pem 2048

### Extract the public key from the private key
openssl rsa -pubout -in private_24MAR25_B.pem -out public_24MAR25_B.pem

### Format the public key for the config.ini file -> paste in Arduino Crete config.ini file and add comment for file name
awk 'NR>0 {printf "%s\\n", $0}' public_24MAR25_B.pem

And I used the go code above recommended by @matteosuppo to generate a signature for a commandline that is just the word "test"

Then, as a test in my terminal, I am trying:

curl -X POST -H "Content-Type: application/json" -d '{
   "board":"arduino:avr:leonardo",
   "commandline":"test",
   "data":"OjEwMDAwMDAwMEM5NEU1MDAwQzk0MEQwMTBDOTQwRDAxMEM5NDBEMDE2MQ0KOjEwMDAxMDAwMEM5NDBEMDEwQzk0M",
   "extra":{
      "auth":{
         "username":null,
         "password":null,
         "private_key":null,
         "port":null
      },
      "use_1200bps_touch":true,
      "wait_for_upload_port":true
   },
   "extrafiles":[
      
   ],
   "filename":"Blink.hex",
   "hex":"OjEwMDAwMDAwMEM5NEU1MDAwQzk0MEQwMTBDOTQwRDAxMEM5NDBEMDE2MQ0KOjEwMDAxMDAwMEM5NDBEMDEwQzk0M",
   "network":false,
   "port":"/dev/ttyACM1",
   "signature":"b92e446e74e1f3f6274fa83326ce0e205775e2ea398fd545296d27493ebe667858ff414d73b27830dae636dbdc2309286ae42ba8635c00344de2cd4bbf0a6eac64dc02e84702075ca8ca9e14e8afc3bd1e1c8d41d9892598faee802a7b36bd9fae0650d03de30e9de7a7ec13a181af4f3f24884ad161cf3356283a04affd67f577f99d3fb603198de91b2fb2fa3e84537042e1076097db94f42753c95175443d83d1998a5fa52272badc849e1f1c9b01fc689734e36aaa9112887a1d432e89172f77c06985dc84f32d541a96bef3e6bc4beddf43e2f1a24b549c466324eb7d787d7746ef30ccce871a6ced8ec6845528f30971ea110c741fe0b07dad59ddcc43"
}' http://127.0.0.1:8991/upload

Still getting "signature is invalid"

I have tried multiple variations of how to format the signatureKey value from in the config.ini file:

`-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZLGLUjSVTIkyXNqsfK8
...
+QIDAQAB
-----END PUBLIC KEY-----`

To "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZLGLUjSVTIkyXNqsfK8\nMbwZ92AYRC1R/kUIE3JaygyG1MSyQBnYFBpQqSPKOjUvZBQ7ZxjZIu/mp1U9cb0w\n1avWp9Cl9QNTZ6gBLwBQThZCxDCbrtXeE71QE8qzBJbT6C27fQVoYf3QN02H72kR\nlemlFVFD9jABQhQw4kNXbvOc1rx74DWLMBxRwvmxGLohyiHw7JtEsuJK1tv/7EYZ\n/Y0lHMV9U6fyw8+S5P8khl1Xzpvk1T5htG/w6SejkI08gBIfzgb/ICoHUEiU+ZFR\nZ0vqEF2T7tCrjx/PItLuW0gqsZjWiEAUAT7fzPSSbt44qLgzFhCNgS4Tz2ayPUJw\n+QIDAQAB\n-----END PUBLIC KEY-----\n

Etc.

Any additional thoughts, or recommendations would be much appreciated if you see I am doing something incorrect here.

[dido18]

I seem to be stuck at this signature point as well and I am trying to just see if I can get the Arduino Create Agent to recognize a valid signature.

I am using openssl to generate the private and public keys:

### Create a private key
openssl genrsa -out private_24MAR25_B.pem 2048

### Extract the public key from the private key
openssl rsa -pubout -in private_24MAR25_B.pem -out public_24MAR25_B.pem

### Format the public key for the config.ini file -> paste in Arduino Crete config.ini file and add comment for file name
awk 'NR>0 {printf "%s\\n", $0}' public_24MAR25_B.pem

And I used the go code above recommended by @matteosuppo to generate a signature for a commandline that is just the word "test"

Then, as a test in my terminal, I am trying:

curl -X POST -H "Content-Type: application/json" -d '{
   "board":"arduino:avr:leonardo",
   "commandline":"test",
   "data":"OjEwMDAwMDAwMEM5NEU1MDAwQzk0MEQwMTBDOTQwRDAxMEM5NDBEMDE2MQ0KOjEwMDAxMDAwMEM5NDBEMDEwQzk0M",
   "extra":{
      "auth":{
         "username":null,
         "password":null,
         "private_key":null,
         "port":null
      },
      "use_1200bps_touch":true,
      "wait_for_upload_port":true
   },
   "extrafiles":[
      
   ],
   "filename":"Blink.hex",
   "hex":"OjEwMDAwMDAwMEM5NEU1MDAwQzk0MEQwMTBDOTQwRDAxMEM5NDBEMDE2MQ0KOjEwMDAxMDAwMEM5NDBEMDEwQzk0M",
   "network":false,
   "port":"/dev/ttyACM1",
   "signature":"b92e446e74e1f3f6274fa83326ce0e205775e2ea398fd545296d27493ebe667858ff414d73b27830dae636dbdc2309286ae42ba8635c00344de2cd4bbf0a6eac64dc02e84702075ca8ca9e14e8afc3bd1e1c8d41d9892598faee802a7b36bd9fae0650d03de30e9de7a7ec13a181af4f3f24884ad161cf3356283a04affd67f577f99d3fb603198de91b2fb2fa3e84537042e1076097db94f42753c95175443d83d1998a5fa52272badc849e1f1c9b01fc689734e36aaa9112887a1d432e89172f77c06985dc84f32d541a96bef3e6bc4beddf43e2f1a24b549c466324eb7d787d7746ef30ccce871a6ced8ec6845528f30971ea110c741fe0b07dad59ddcc43"
}' http://127.0.0.1:8991/upload

Still getting "signature is invalid"

I have tried multiple variations of how to format the signatureKey value from in the config.ini file:

`-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZLGLUjSVTIkyXNqsfK8
...
+QIDAQAB
-----END PUBLIC KEY-----`

To "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZLGLUjSVTIkyXNqsfK8\nMbwZ92AYRC1R/kUIE3JaygyG1MSyQBnYFBpQqSPKOjUvZBQ7ZxjZIu/mp1U9cb0w\n1avWp9Cl9QNTZ6gBLwBQThZCxDCbrtXeE71QE8qzBJbT6C27fQVoYf3QN02H72kR\nlemlFVFD9jABQhQw4kNXbvOc1rx74DWLMBxRwvmxGLohyiHw7JtEsuJK1tv/7EYZ\n/Y0lHMV9U6fyw8+S5P8khl1Xzpvk1T5htG/w6SejkI08gBIfzgb/ICoHUEiU+ZFR\nZ0vqEF2T7tCrjx/PItLuW0gqsZjWiEAUAT7fzPSSbt44qLgzFhCNgS4Tz2ayPUJw\n+QIDAQAB\n-----END PUBLIC KEY-----\n

Etc.

Any additional thoughts, or recommendations would be much appreciated if you see I am doing something incorrect here.

@ProgrammingElectronics, thanks for the detailed report.
I think this is a regression of the agent. You can find details on this PR #1024

[dido18]

The agent 1.7.0 has been released with the fix.
We have also updated the wiki page with the instruction to generate and use a custom publick/private key.

@ProgrammingElectronics could you confirm that the new releases fix the issue?
Thanks

[dido18]

I close the issue.
Feel free to reopen it if the problem persists 💯