This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

[FAQ] SIMPLELINK-CC32XX-SDK: Important Notice for Customers Using GITHUB for OTA Updates

Part Number: SIMPLELINK-CC32XX-SDK

The TI SimpleLink Wi-Fi SDK provides example code for the use of Dropbox or GITHUB to perform Over the Air (OTA) updates.  However, TI cannot guarantee the operation of these 3rd party services for long term use.  Recent changes by GITHUB have highlighted that connection issues may occur when using the OTA library from the SDK to connect to the GITHUB server.  Details of the specific GITHUB circumstances are provided below.

It is important to note that GITHUB has could not confirm the timeframe for permanently updating their server certificate handling.  Customers needing future OTA compatibility with the GITHUB service will need to update the SimpleLink Wi-Fi OTA library by using SDK 5.10 and update the GITHUB root CA certificates as soon as possibe. The planned release timeframe for SDK 5.10 is the end of 1Q 2021.Please see update in below post.

 GITHUB Details:

The OTA update procedure involves connecting to 2 servers:

- The GITHUB OTA (api.github.com) server for authenticating and granting permission to access folders where the image is located

- The GITHUB file server itself to load the image

Historically, GITHUB used the same root of trust for the 2 servers, which allowed customers to set only one root CA to verify and enable the connection with the OTA library.

Recently GITHUB updated the certificate handling to require unique certificates per server (the “api.github.com” now requires the DigiCert Global Root CA). This caused connection failures as described above.  When notified of the issues this caused, GITHUB willingly agreed to revert back to the original certificate handling as a temporary adjustment period for manufacturers.  The OTA library modifications planned for SDK 5.10 will enable support for connecting to a CDN server and a file server when they use different root CAs.  Customers should update their initial programming image and devices in the field to use the new OTA library and updated GITHUB root CA certificates to ensure future OTA functionality. Please see update in below post.

  • Important Update: An alternate solution has been identified for continuing to support connections to the GitHub servers with the SimpleLink OTA library in SDK v5.10. In SDK v5.10, the OTA library still expects the application to use a single file containing the remote server certificates. To enable the device to work properly when the CDN server and file server use different root CAs, the file loaded on the device should be a PEM formatted file that includes both of the root CA certificates.

     

    During the GitHub transition, the two certificates that are expected to be needed by the device are the Digicert High Assurance EV Root CA and DigiCert Global Root CA. The attached PEM file combines these two root CAs.

     

    Customers must update the devices they have in the field and being manufactured to use this file as the OTA_SERVER_ROOT_CA_CERT to help ensure compatibility with the service moving forward. Please make sure the attached file is programmed to the file system’s root and the following is defined in “otauser.h” (this definition should be used to rebuild the OTA library and the application):

    #define OTA_SERVER_ROOT_CA_CERT         "RootCACerts_GitHub.pem"

    The 2nd quarter SDK release (v5.20) will include the originally planned update to the OTA library.

    RootCACerts_GitHub.pem

  • Please note that the PEM solution described above is only supported by CC323x devices.

    CC3220 users should still define the root CA certificate for each server and make sure they update the root certificate just before the GitHub server certificate is replaced. Both DER and PEM formatted certificates are supported, but note that in case of a PEM file with multiple certificates (as explained above), the CC3220 will only refer to the first one.