Code Signing for Amazon FreeRTOS API Reference API Version 2017-08-25

(1)

Code Signing for Amazon FreeRTOS

API Reference

API Version 2017-08-25

(2)

Code Signing for Amazon FreeRTOS: API Reference

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

Welcome

AWS Signer is a fully managed code signing service to help you ensure the trust and integrity of your code.

AWS Signer supports the following applications:

With code signing for AWS Lambda, you can sign AWS Lambda deployment packages. Integrated support is provided for Amazon S3, Amazon CloudWatch, and AWS CloudTrail. In order to sign code, you create a signing proﬁle and then use Signer to sign Lambda zip ﬁles in S3.

With code signing for IoT, you can sign code for any IoT device that is supported by AWS. IoT code signing is available for Amazon FreeRTOS and AWS IoT Device Management, and is integrated with AWS Certiﬁcate Manager (ACM). In order to sign code, you import a third-party code signing certiﬁcate using ACM, and use that to sign updates in Amazon FreeRTOS and AWS IoT Device Management.

For more information about AWS Signer, see the AWS Signer Developer Guide.

This document was last published on March 6, 2022.

(8)

Actions

The following actions are supported:

• AddProﬁlePermission (p. 3)

• CancelSigningProﬁle (p. 6)

• DescribeSigningJob (p. 8)

• GetSigningPlatform (p. 14)

• GetSigningProﬁle (p. 17)

• ListProﬁlePermissions (p. 21)

• ListSigningJobs (p. 24)

• ListSigningPlatforms (p. 29)

• ListSigningProﬁles (p. 32)

• ListTagsForResource (p. 35)

• PutSigningProﬁle (p. 37)

• RemoveProﬁlePermission (p. 41)

• RevokeSignature (p. 43)

• RevokeSigningProﬁle (p. 45)

• StartSigningJob (p. 48)

• TagResource (p. 53)

• UntagResource (p. 55)

(9)

AddProﬁlePermission

Adds cross-account permissions to a signing proﬁle.

Request Syntax

POST /signing-profiles/profileName/permissions HTTP/1.1 Content-type: application/json

{ "action": "string", "principal": "string", "profileVersion": "string", "revisionId": "string", "statementId": "string"

}

URI Request Parameters

The request uses the following URI parameters.

proﬁleName (p. 3)

The human-readable name of the signing proﬁle.

Length Constraints: Minimum length of 2. Maximum length of 64.

Pattern: ^[a-zA-Z0-9_]{2,}

Required: Yes

Request Body

The request accepts the following data in JSON format.

action (p. 3)

The AWS Signer action permitted as part of cross-account permissions.

Type: String Required: Yes principal (p. 3)

The AWS principal receiving cross-account permissions. This may be an IAM role or another AWS account ID.

Type: String Required: Yes proﬁleVersion (p. 3)

The version of the signing proﬁle.

Type: String

(10)

Response Syntax

Length Constraints: Fixed length of 10.

Pattern: ^[a-zA-Z0-9]{10}$

Required: No revisionId (p. 3)

A unique identiﬁer for the current proﬁle revision.

Type: String Required: No statementId (p. 3)

A unique identiﬁer for the cross-account permission statement.

Type: String Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json {

"revisionId": "string"

}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

revisionId (p. 4)

A unique identiﬁer for the current proﬁle revision.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors (p. 84).

AccessDeniedException

You do not have suﬃcient access to perform this action.

HTTP Status Code: 403 ConﬂictException

The resource encountered a conﬂicting state.

HTTP Status Code: 409

(11)

See Also

InternalServiceErrorException An internal error occurred.

HTTP Status Code: 500 ResourceNotFoundException

A speciﬁed resource could not be found.

HTTP Status Code: 404 ServiceLimitExceededException

The client is making a request that exceeds service limits.

HTTP Status Code: 402 TooManyRequestsException

The allowed number of job-signing requests has been exceeded.

This error supersedes the error ThrottlingException.

HTTP Status Code: 429 ValidationException

You signing certiﬁcate could not be validated.

CancelSigningProﬁle

Changes the state of an ACTIVE signing proﬁle to CANCELED. A canceled proﬁle is still viewable with the ListSigningProfiles operation, but it cannot perform new signing jobs, and is deleted two years after cancelation.

Request Syntax

DELETE /signing-profiles/profileName HTTP/1.1

URI Request Parameters

The name of the signing proﬁle to be canceled.

Required: Yes

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

HTTP Status Code: 403 InternalServiceErrorException

An internal error occurred.

(13)

See Also

ResourceNotFoundException

DescribeSigningJob

Returns information about a speciﬁc code signing job. You specify the job by using the jobId value that is returned by the StartSigningJob (p. 48) operation.

Request Syntax

GET /signing-jobs/jobId HTTP/1.1

URI Request Parameters

jobId (p. 8)

The ID of the signing job on input.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

"completedAt": number, "createdAt": number, "jobId": "string", "jobInvoker": "string", "jobOwner": "string", "overrides": {

"signingConfiguration": {

"encryptionAlgorithm": "string", "hashAlgorithm": "string"

},

"signingImageFormat": "string"

},

"platformDisplayName": "string", "platformId": "string",

"profileName": "string", "profileVersion": "string", "requestedBy": "string", "revocationRecord": { "reason": "string", "revokedAt": number, "revokedBy": "string"

},

"signatureExpiresAt": number, "signedObject": {

"s3": {

"bucketName": "string", "key": "string"

(15)

Response Elements

} },

"signingMaterial": {

"certificateArn": "string"

},

"signingParameters": { "string" : "string"

},

"source": { "s3": {

"bucketName": "string", "key": "string",

"version": "string"

} },

"status": "string", "statusReason": "string"

}

Response Elements

completedAt (p. 8)

Date and time that the signing job was completed.

Type: Timestamp createdAt (p. 8)

Date and time that the signing job was created.

Type: Timestamp jobId (p. 8)

The ID of the signing job on output.

Type: String jobInvoker (p. 8)

The IAM entity that initiated the signing job.

Type: String

Pattern: ^[0-9]{12}$

jobOwner (p. 8)

The AWS account ID of the job owner.

Type: String

Pattern: ^[0-9]{12}$

overrides (p. 8)

A list of any overrides that were applied to the signing operation.

(16)

Response Elements

Type: SigningPlatformOverrides (p. 77) object platformDisplayName (p. 8)

A human-readable name for the signing platform associated with the signing job.

Type: String platformId (p. 8)

The microcontroller platform to which your signed code image will be distributed.

Type: String proﬁleName (p. 8)

The name of the proﬁle that initiated the signing operation.

Type: String

proﬁleVersion (p. 8)

The version of the signing proﬁle used to initiate the signing job.

Type: String

requestedBy (p. 8)

The IAM principal that requested the signing job.

Type: String revocationRecord (p. 8)

A revocation record if the signature generated by the signing job has been revoked. Contains a timestamp and the ID of the IAM entity that revoked the signature.

Type: SigningJobRevocationRecord (p. 73) object signatureExpiresAt (p. 8)

Thr expiration timestamp for the signature generated by the signing job.

Type: Timestamp signedObject (p. 8)

Name of the S3 bucket where the signed code image is saved by code signing.

Type: SignedObject (p. 66) object signingMaterial (p. 8)

The Amazon Resource Name (ARN) of your code signing certiﬁcate.

Type: SigningMaterial (p. 74) object signingParameters (p. 8)

Map of user-assigned key-value pairs used during signing. These values contain any information that you speciﬁed for use in your signing job.

(17)

Errors

Type: String to string map source (p. 8)

The object that contains the name of your S3 bucket or your raw code.

Type: Source (p. 81) object status (p. 8)

Status of the signing job.

Type: String

Valid Values: InProgress | Failed | Succeeded statusReason (p. 8)

String value that contains the status reason.

Type: String

Errors

Examples

Describe a signing job

This example illustrates one usage of DescribeSigningJob.

Sample Request

GET /Prod/signing-jobs/9052caa6-1d8d-43b5-9ead-0cb8621c8c74 HTTP/1.1 Host: signer.us-east-1.amazonaws.com

(18)

See Also

Accept-Encoding: identity

Authorization: AWS4-HMAC-SHA256 Credential=access_key/us- east-1/signer/aws4_request, SignedHeaders=host;x-amz-date,

Signature=93e24ab743082913abfb466a13b2f65a7f3eec9893aa2dcbdc91d160b3d7ff67 X-Amz-Date: 20171115T165923Z

User-Agent: aws-cli/1.11.132 Python/2.7.9 Windows/8 botocore/1.5.95

Sample Response

HTTP/1.1 200 OK

Content-Type: application/json Content-Length: 631

Date: Wed, 15 Nov 2017 16:59:31 GMT

x-amzn-RequestId: 5946a79a-ca26-11e7-ae27-cda958f39b26

X-Amzn-Trace-Id: sampled=0;root=1-5a0c7273-fd33420b90425c1dc4b94bcc X-Cache: Miss from cloudfront

Via: 1.1 ce270f4a88edde7438864bc44406e83a.cloudfront.net (CloudFront) X-Amz-Cf-Id: hAkstXf07ycoa3HgI2MebhYgvyZ39K7zn2Z9mpqxsRlPjPphgaHZUQ==

Connection: Keep-alive

{ "jobId": "9052caa6-1d8d-43b5-9ead-0cb8621c8c74", "source": {

"s3": {

"bucketName": "signer-test-source", "key": "my-example-code.java",

"version": "W.OIrIFmjIFeuNXOaBJzPee66.wRg4GR"

}

}, "signingMaterial": {

"certificateArn": "arn:aws:acm:region:123456789012:certificate/9ec626ca-0bbb-4be5-83a2- ee563f8386ca"

},

"platform": "TexasInstruments", "signingParameters": null, "createdAt": 1510695622, "completedAt": 1510695623,

"requestedBy": "arn:aws:iam::123456789012:root", "status": "Succeeded",

"statusReason": "Signing success", "signedObject": {

"s3": {

"bucketName": "signer-test-dest",

"key": "9052caa6-1d8d-43b5-9ead-0cb8621c8c74"

} }}

GetSigningPlatform

Returns information on a speciﬁc signing platform.

Request Syntax

GET /signing-platforms/platformId HTTP/1.1

URI Request Parameters

platformId (p. 14)

The ID of the target signing platform.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

"category": "string", "displayName": "string", "maxSizeInMB": number, "partner": "string", "platformId": "string",

"revocationSupported": boolean, "signingConfiguration": {

"encryptionAlgorithmOptions": { "allowedValues": [ "string" ], "defaultValue": "string"

},

"hashAlgorithmOptions": { "allowedValues": [ "string" ], "defaultValue": "string"

} },

"signingImageFormat": { "defaultFormat": "string", "supportedFormats": [ "string" ] },

"target": "string"

}

Response Elements

(21)

Errors

category (p. 14)

The category type of the target signing platform.

Type: String

Valid Values: AWSIoT displayName (p. 14)

The display name of the target signing platform.

Type: String maxSizeInMB (p. 14)

The maximum size (in MB) of the payload that can be signed by the target platform.

Type: Integer partner (p. 14)

A list of partner entities that use the target signing platform.

The ID of the target signing platform.

Type: String

revocationSupported (p. 14)

A ﬂag indicating whether signatures generated for the signing platform can be revoked.

Type: Boolean

signingConﬁguration (p. 14)

A list of conﬁgurations applied to the target platform at signing.

Type: SigningConﬁguration (p. 67) object signingImageFormat (p. 14)

The format of the target platform's signing image.

Type: SigningImageFormat (p. 69) object target (p. 14)

The validation template that is used by the target signing platform.

Type: String

Errors

(22)

See Also

GetSigningProﬁle

Returns information on a speciﬁc signing proﬁle.

Request Syntax

GET /signing-profiles/profileName?profileOwner=profileOwner HTTP/1.1

URI Request Parameters

The name of the target signing proﬁle.

Required: Yes proﬁleOwner (p. 17)

The AWS account ID of the proﬁle owner.

Pattern: ^[0-9]{12}$

Request Body

Response Syntax

HTTP/1.1 200

"arn": "string", "overrides": {

},

"profileName": "string", "profileVersion": "string", "profileVersionArn": "string", "revocationRecord": {

"revocationEffectiveFrom": number, "revokedAt": number,

"revokedBy": "string"

(24)

Response Elements

},

"signatureValidityPeriod": { "type": "string",

"value": number },

},

"status": "string", "statusReason": "string", "tags": {

"string" : "string"

} }

Response Elements

arn (p. 17)

The Amazon Resource Name (ARN) for the signing proﬁle.

Type: String overrides (p. 17)

A list of overrides applied by the target signing proﬁle for signing operations.

Type: SigningPlatformOverrides (p. 77) object platformDisplayName (p. 17)

A human-readable name for the signing platform associated with the signing proﬁle.

The ID of the platform that is used by the target signing proﬁle.

Type: String proﬁleName (p. 17)

The name of the target signing proﬁle.

Type: String

proﬁleVersion (p. 17)

The current version of the signing proﬁle.

Type: String

(25)

Errors

proﬁleVersionArn (p. 17)

The signing proﬁle ARN, including the proﬁle version.

Type: String

revocationRecord (p. 17)

Revocation information for a signing proﬁle.

Type: SigningProﬁleRevocationRecord (p. 80) object signatureValidityPeriod (p. 17)

The validity period for a signing job.

Type: SignatureValidityPeriod (p. 65) object signingMaterial (p. 17)

The ARN of the certiﬁcate that the target proﬁle uses for signing operations.

Type: SigningMaterial (p. 74) object signingParameters (p. 17)

A map of key-value pairs for signing operations that is attached to the target signing proﬁle.

Type: String to string map status (p. 17)

The status of the target signing proﬁle.

Type: String

Valid Values: Active | Canceled | Revoked statusReason (p. 17)

Reason for the status of the target signing proﬁle.

Type: String tags (p. 17)

A list of tags associated with the signing proﬁle.

Type: String to string map

Map Entries: Maximum number of 200 items.

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Key Pattern: ^(?!aws:)[a-zA-Z+-=._:/]+$

Value Length Constraints: Maximum length of 256.

Errors

(26)

See Also

ListProﬁlePermissions

Lists the cross-account permissions associated with a signing proﬁle.

Request Syntax

GET /signing-profiles/profileName/permissions?nextToken=nextToken HTTP/1.1

URI Request Parameters

nextToken (p. 21)

String for specifying the next set of paginated results.

Name of the signing proﬁle containing the cross-account permissions.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "nextToken": "string", "permissions": [ {

"action": "string", "principal": "string", "profileVersion": "string", "statementId": "string"

} ],

"policySizeBytes": number, "revisionId": "string"

}

Response Elements

(28)

Errors

Type: String permissions (p. 21)

List of permissions associated with the Signing Proﬁle.

Type: Array of Permission (p. 61) objects policySizeBytes (p. 21)

Total size of the policy associated with the Signing Proﬁle in bytes.

Type: Integer revisionId (p. 21)

The identiﬁer for the current revision of proﬁle permissions.

Type: String

Errors

ListSigningJobs

Lists all your signing jobs. You can use the maxResults parameter to limit the number of signing jobs that are returned in the response. If additional jobs remain to be listed, code signing returns a nextToken value. Use this value in subsequent calls to ListSigningJobs to fetch the remaining values. You can continue calling ListSigningJobs with your maxResults parameter and with new values that code signing returns in the nextToken parameter until all of your signing jobs have been returned.

Request Syntax

GET /signing-jobs?

isRevoked=isRevoked&jobInvoker=jobInvoker&maxResults=maxResults&nextToken=nextToken&platformId=platformId&requestedBy=requestedBy&signatureExpiresAfter=signatureExpiresAfter&signatureExpiresBefore=signatureExpiresBefore&status=status HTTP/1.1

URI Request Parameters

isRevoked (p. 24)

Filters results to return only signing jobs with revoked signatures.

jobInvoker (p. 24)

Filters results to return only signing jobs initiated by a speciﬁed IAM entity.

Pattern: ^[0-9]{12}$

maxResults (p. 24)

Speciﬁes the maximum number of items to return in the response. Use this parameter when

paginating results. If additional items exist beyond the number you specify, the nextToken element is set in the response. Use the nextToken value in a subsequent request to retrieve additional items.

Valid Range: Minimum value of 1. Maximum value of 25.

String for specifying the next set of paginated results to return. After you receive a response with truncated results, use this parameter in a subsequent request. Set it to the value of nextToken from the response that you just received.

The ID of microcontroller platform that you speciﬁed for the distribution of your code image.

requestedBy (p. 24)

The IAM principal that requested the signing job.

signatureExpiresAfter (p. 24)

Filters results to return only signing jobs with signatures expiring after a speciﬁed timestamp.

signatureExpiresBefore (p. 24)

Filters results to return only signing jobs with signatures expiring before a speciﬁed timestamp.

(31)

Request Body

status (p. 24)

A status value with which to ﬁlter your results.

Valid Values: InProgress | Failed | Succeeded

Request Body

Response Syntax

HTTP/1.1 200

"jobs": [ {

"createdAt": number, "isRevoked": boolean, "jobId": "string", "jobInvoker": "string", "jobOwner": "string",

"profileName": "string", "profileVersion": "string", "signatureExpiresAt": number, "signedObject": {

"s3": {

"bucketName": "string", "key": "string"

} },

},

"source": { "s3": {

"bucketName": "string", "key": "string", "version": "string"

} },

"status": "string"

} ],

"nextToken": "string"

}

Response Elements

jobs (p. 25)

A list of your signing jobs.

(32)

Errors

Type: Array of SigningJob (p. 70) objects nextToken (p. 25)

Type: String

Errors

Examples

Example

This example illustrates one usage of ListSigningJobs.

Sample Request

GET /Prod/signing-jobs?status=InProgress&platform=TexasInstruments&maxResults=10 HTTP/1.1 Host: qvvi640b53.execute-api.us-east-1.amazonaws.com

Accept-Encoding: identity

Authorization: AWS4-HMAC-SHA256 Credential=access_key/20171115/

us-east-1/signer/aws4_request, SignedHeaders=host;x-amz-date,

Signature=59e5f7ac6c2193c1eb163b0a8f3b2b3ec47fc5687631aa4d42bdcfacc14d626a X-Amz-Date: 20171115T173358Z

User-Agent: aws-cli/1.11.132 Python/2.7.9 Windows/8 botocore/1.5.95

Sample Response

HTTP/1.1 200 OK

Content-Type: application/json

(33)

Examples

Content-Length: 1896

Date: Wed, 15 Nov 2017 17:34:06 GMT

x-amzn-RequestId: 2e5eaaf7-ca2b-11e7-bfa0-e7cd77b24597

X-Amzn-Trace-Id: sampled=0;root=1-5a0c7a8e-66a88aa1083a4631ce1a9e45 X-Cache: Miss from cloudfront

Via: 1.1 9ba06853e586727720bf0a1bf763bad7.cloudfront.net (CloudFront) X-Amz-Cf-Id: BtaBXTGIVWfSRurtkK7aMOcg39oiA1Uz3UCoPPQm5LWu5bt72gV_cA==

Connection: Keep-alive { "jobs": [{

"jobId": "ade0f15c-5857-4fcd-b731-43530bbd2d7d", "source": {

"s3": {

"bucketName": "signer-test-source", "key": "my-example-code.java", "version": null

} },

"signedObject": { "s3": {

"key": "signed_images/ade0f15c-5857-4fcd-b731-43530bbd2d7d"

}

}, "signingMaterial": { "certificateArn":

"arn:aws:acm:region:123456789012:certificate/7a0ed941-64dd-419b-8b59-24378756fee3"

},

"createdAt": 1508345543, "status": "Succeeded"

}, {

"jobId": "9052caa6-1d8d-43b5-9ead-0cb8621c8c74", "source": {

"s3": {

} },

"key": "9052caa6-1d8d-43b5-9ead-0cb8621c8c74"

}

},

{ "jobId": "cc9067a9-9258-489a-abae-1c3408191071", "source": {

"s3": {

} },

(34)

See Also

"key": "cc9067a9-9258-489a-abae-1c3408191071"

} },

}, "createdAt": 1510698374, "status": "Succeeded"

}, {

"jobId": "ba506303-848d-4fb7-a07f-e8049eb5faa6", "source": {

"s3": {

} },

"key": "ba506303-848d-4fb7-a07f-e8049eb5faa6"

}

},

}], "nextToken": null }

ListSigningPlatforms

Lists all signing platforms available in code signing that match the request parameters. If additional jobs remain to be listed, code signing returns a nextToken value. Use this value in subsequent calls to ListSigningJobs to fetch the remaining values. You can continue calling ListSigningJobs with your maxResults parameter and with new values that code signing returns in the nextToken parameter until all of your signing jobs have been returned.

Request Syntax

GET /signing-platforms?

category=category&maxResults=maxResults&nextToken=nextToken&partner=partner&target=target HTTP/1.1

URI Request Parameters

category (p. 29)

The category type of a signing platform.

The maximum number of results to be returned by this operation.

Value for specifying the next set of paginated results to return. After you receive a response with truncated results, use this parameter in a subsequent request. Set it to the value of nextToken from the response that you just received.

partner (p. 29)

Any partner entities connected to a signing platform.

target (p. 29)

The validation template that is used by the target signing platform.

Request Body

Response Syntax

HTTP/1.1 200

"nextToken": "string", "platforms": [ {

"category": "string", "displayName": "string",

(36)

Response Elements

"maxSizeInMB": number, "partner": "string", "platformId": "string",

"revocationSupported": boolean, "signingConfiguration": {

"encryptionAlgorithmOptions": { "allowedValues": [ "string" ], "defaultValue": "string"

},

"hashAlgorithmOptions": { "allowedValues": [ "string" ], "defaultValue": "string"

} },

"signingImageFormat": { "defaultFormat": "string", "supportedFormats": [ "string" ] },

"target": "string"

} ] }

Response Elements

Value for specifying the next set of paginated results to return.

Type: String platforms (p. 29)

A list of all platforms that match the request parameters.

Type: Array of SigningPlatform (p. 75) objects

Errors

(37)

See Also

ListSigningProﬁles

Lists all available signing profiles in your AWS account. Returns only profiles with an ACTIVE status unless the includeCanceled request field is set to true. If additional jobs remain to be listed, code signing returns a nextToken value. Use this value in subsequent calls to ListSigningJobs to fetch the remaining values. You can continue calling ListSigningJobs with your maxResults parameter and with new values that code signing returns in the nextToken parameter until all of your signing jobs have been returned.

Request Syntax

GET /signing-profiles?

includeCanceled=includeCanceled&maxResults=maxResults&nextToken=nextToken&platformId=platformId&statuses=statuses HTTP/1.1

URI Request Parameters

includeCanceled (p. 32)

Designates whether to include proﬁles with the status of CANCELED.

The maximum number of proﬁles to be returned.

Value for specifying the next set of paginated results to return. After you receive a response with truncated results, use this parameter in a subsequent request. Set it to the value of nextToken from the response that you just received.

Filters results to return only signing jobs initiated for a speciﬁed signing platform.

statuses (p. 32)

Filters results to return only signing jobs with statuses in the speciﬁed list.

Valid Values: Active | Canceled | Revoked

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "nextToken": "string", "profiles": [

{

(39)

Response Elements

"arn": "string",

"profileName": "string", "profileVersion": "string", "profileVersionArn": "string", "signatureValidityPeriod": { "type": "string",

"value": number },

},

"status": "string", "tags": {

} } ]}

Response Elements

Value for specifying the next set of paginated results to return.

Type: String proﬁles (p. 32)

A list of proﬁles that are available in the AWS account. This includes proﬁles with the status of CANCELED if the includeCanceled parameter is set to true.

Type: Array of SigningProﬁle (p. 78) objects

Errors

(40)

See Also

ListTagsForResource

Returns a list of the tags associated with a signing proﬁle resource.

Request Syntax

GET /tags/resourceArn HTTP/1.1

URI Request Parameters

resourceArn (p. 35)

The Amazon Resource Name (ARN) for the signing proﬁle.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "tags": {

}}

Response Elements

tags (p. 35)

A list of tags associated with the signing proﬁle.

(42)

Errors

BadRequestException

The request contains invalid parameters for the ARN or tags. This exception also occurs when you call a tagging API on a cancelled signing proﬁle.

HTTP Status Code: 500 NotFoundException

The signing proﬁle was not found.

PutSigningProﬁle

Creates a signing profile. A signing profile is a code signing template that can be used to carry out a pre- defined signing job.

Request Syntax

PUT /signing-profiles/profileName HTTP/1.1 Content-type: application/json

{ "overrides": {

},

"platformId": "string", "signatureValidityPeriod": { "type": "string",

"value": number },

},

"signingParameters": { "string" : "string"

},

"tags": {

"string" : "string"

} }

URI Request Parameters

The name of the signing proﬁle to be created.

Required: Yes

Request Body

overrides (p. 37)

A subfield of platform. This specifies any different configuration options that you want to apply to the chosen platform (such as a different hash-algorithm or signing-algorithm).

Type: SigningPlatformOverrides (p. 77) object

(44)

Response Syntax

Required: No platformId (p. 37)

The ID of the signing platform to be created.

Type: String Required: Yes

signatureValidityPeriod (p. 37)

The default validity period override for any signature generated using this signing proﬁle. If unspeciﬁed, the default is 135 months.

Type: SignatureValidityPeriod (p. 65) object Required: No

signingMaterial (p. 37)

The AWS Certificate Manager certificate that will be used to sign code with the new signing profile.

Type: SigningMaterial (p. 74) object Required: No

signingParameters (p. 37)

Map of key-value pairs for signing. These can include any information that you want to use during signing.

Type: String to string map Required: No

tags (p. 37)

Tags to be associated with the signing proﬁle that is being created.

Required: No

Response Syntax

HTTP/1.1 200

Content-type: application/json { "arn": "string",

"profileVersion": "string", "profileVersionArn": "string"

}

(45)

Response Elements

arn (p. 38)

The Amazon Resource Name (ARN) of the signing proﬁle created.

Type: String proﬁleVersion (p. 38)

The version of the signing proﬁle being created.

Type: String

proﬁleVersionArn (p. 38)

The signing proﬁle ARN, including the proﬁle version.

Type: String

Errors

(46)

See Also

RemoveProﬁlePermission

Removes cross-account permissions from a signing proﬁle.

Request Syntax

DELETE /signing-profiles/profileName/permissions/statementId?revisionId=revisionId HTTP/1.1

URI Request Parameters

A human-readable name for the signing proﬁle with permissions to be removed.

Required: Yes revisionId (p. 41)

An identiﬁer for the current revision of the signing proﬁle permissions.

Required: Yes statementId (p. 41)

A unique identiﬁer for the cross-account permissions statement.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "revisionId": "string"

}

Response Elements

revisionId (p. 41)

An identiﬁer for the current revision of the proﬁle permissions.

(48)

Errors

Type: String

Errors

HTTP Status Code: 403 ConﬂictException

The resource encountered a conﬂicting state.

RevokeSignature

Changes the state of a signing job to REVOKED. This indicates that the signature is no longer valid.

Request Syntax

PUT /signing-jobs/jobId/revoke HTTP/1.1 Content-type: application/json

{ "jobOwner": "string", "reason": "string"

}

URI Request Parameters

jobId (p. 43)

ID of the signing job to be revoked.

Required: Yes

Request Body

jobOwner (p. 43)

AWS account ID of the job owner.

Type: String

Pattern: ^[0-9]{12}$

Required: No reason (p. 43)

The reason for revoking the signing job.

Type: String

Required: Yes

Response Syntax

HTTP/1.1 200

(50)

Response Elements

Errors

RevokeSigningProﬁle

Changes the state of a signing profile to REVOKED. This indicates that signatures generated using the signing profile after an effective start date are no longer valid.

Request Syntax

PUT /signing-profiles/profileName/revoke HTTP/1.1 Content-type: application/json

{ "effectiveTime": number, "profileVersion": "string", "reason": "string"

}

URI Request Parameters

The name of the signing proﬁle to be revoked.

Required: Yes

Request Body

eﬀectiveTime (p. 45)

A timestamp for when revocation of a Signing Profile should become effective. Signatures generated using the signing profile after this timestamp are not trusted.

Type: Timestamp Required: Yes proﬁleVersion (p. 45)

The version of the signing proﬁle to be revoked.

Type: String

Required: Yes reason (p. 45)

The reason for revoking a signing proﬁle.

(52)

Response Syntax

Type: String

Required: Yes

Response Syntax

HTTP/1.1 200

Response Elements

Errors

StartSigningJob

Initiates a signing job to be performed on the code provided. Signing jobs are viewable by the

ListSigningJobs operation for two years after they are performed. Note the following requirements:

• You must create an Amazon S3 source bucket. For more information, see Creating a Bucket in the Amazon S3 Getting Started Guide.

• Your S3 source bucket must be version enabled.

• You must create an S3 destination bucket. Code signing uses your S3 destination bucket to write your signed code.

• You specify the name of the source and destination buckets when calling the StartSigningJob operation.

• You must also specify a request token that identiﬁes your request to code signing.

You can call the DescribeSigningJob (p. 8) and the ListSigningJobs (p. 24) actions after you call StartSigningJob.

For a Java example that shows how to use this action, see StartSigningJob.

Request Syntax

POST /signing-jobs HTTP/1.1 Content-type: application/json { "clientRequestToken": "string", "destination": {

"s3": {

"bucketName": "string", "prefix": "string"

} },

"profileName": "string", "profileOwner": "string", "source": {

"s3": {

"bucketName": "string", "key": "string",

"version": "string"

} } }

URI Request Parameters

The request does not use any URI parameters.

Request Body

clientRequestToken (p. 48)

String that identifies the signing request. All calls after the first that use this token return the same response as the first call.

(55)

Response Syntax

Type: String Required: Yes destination (p. 48)

The S3 bucket in which to save your signed object. The destination contains the name of your bucket and an optional preﬁx.

Type: Destination (p. 58) object Required: Yes

The name of the signing proﬁle.

Type: String

Required: Yes proﬁleOwner (p. 48)

The AWS account ID of the signing proﬁle owner.

Type: String

Pattern: ^[0-9]{12}$

Required: No source (p. 48)

The S3 bucket that contains the object to sign or a BLOB that contains your raw code.

Type: Source (p. 81) object Required: Yes

Response Syntax

HTTP/1.1 200

"jobId": "string", "jobOwner": "string"

}

Response Elements

jobId (p. 49)

The ID of your signing job.

Code Signing for Amazon FreeRTOS API Reference API Version 2017-08-25

Code Signing for Amazon FreeRTOS

API Reference

API Version 2017-08-25

Code Signing for Amazon FreeRTOS: API Reference

Table of Contents

Welcome

Actions

AddProﬁlePermission

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

CancelSigningProﬁle

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

DescribeSigningJob

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

Examples

Describe a signing job

Sample Request

Sample Response

See Also

GetSigningPlatform

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

GetSigningProﬁle

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

ListProﬁlePermissions

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

ListSigningJobs

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

Examples

Example

Sample Request

Sample Response

See Also

ListSigningPlatforms

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also