You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/iot-hub-device-update/device-update-rootkey.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,24 +19,25 @@ Before learning about the Device Update root key rotation process, learn about r
19
19
20
20
## Root key rotation schedule change
21
21
22
-
The Device Update for IoT Hub team was previously planning to rotate ADU.200702.R, the root key currently being used for validating signing keys associated with update manifests, on August 26, 2025. The rotation of that key would have meant that the Device Update service would stop signing imported content with a key that chains up to ADU.200702.R, and begin signing using a key that chains up to ADU.200703.R.
22
+
The Device Update for IoT Hub team was previously planning to rotate ADU.200702.R, the root key currently being used for validating signing keys associated with update manifests, on August 26, 2025. The rotation of that key would have meant that the Device Update service would stop signing imported content with a key that chains up to ADU.200702.R. Then, the service would have started signing using a key that chains up to ADU.200703.R.
23
23
24
-
Based on feedback from many of our customers on the impact of the root key rotation, the Device Update for IoT Hub team determined that it’s safe to postpone the August 2025 rotation to give customers more time to be ready for the rotation. Once a new date is available for this rotation event, it will be announced at least one year before the rotation will occur.
24
+
Based on feedback from our customers on the impact of the rotation, the Device Update for IoT Hub team is postponing the August 2025 rotation. This will give customers more time to be ready for the rotation. Once a new date is available for this rotation event, it will be announced at least one year in advance.
25
25
26
26
## How to validate if your devices are ready for a future rotation or revocation
27
27
28
-
If you haven’t already completed the testing of the ADU.200703.R root key that will be used after the eventual rotation, it’s recommended to do so as soon as possible. This is because, in the unlikely case of a malicious actor being able to exploit the current ADU.200702.R root key prior to the rotation, the Device Update team would immediately revoke the ADU.200702.R root key and begin signing with ADU.200703.R root key. If you’ve confirmed via testing that your devices currently support the ADU.200703.R root key, it will minimize how much you’re impacted by this scenario.
28
+
If you haven’t tested the ADU.200703.R root key that will be used after the eventual rotation, doing so as soon as possibleis recommended. In the unlikely case of a malicious actor being able to exploit the current ADU.200702.R root key before a scheduled rotation, the Device Update team would immediately revoke the ADU.200702.R root key and begin signing with ADU.200703.R root key. Confirming via testing that your devices currently support the ADU.200703.R root key means the impact of this scenario is minimized.
29
29
30
30
The Device Update team created a test mechanism to validate if your devices can receive content signed with ADU.200703.R. Instructions:
31
31
32
-
1. Download a [special test file](https://a.b.nlu.dl.adu.microsoft.com/swedencentral/testfiles/root-key-test-update.txt). This exact file _must_ be used, because the Device Update service will look for the file hash at import time. The matching file hash in your import manifest should be: **KGyJ9tM6JSLHQq0gdKUmsVvB6Y4z0pMKdQNAd8jTGH0=**
32
+
1. Download a [special test file](https://a.b.nlu.dl.adu.microsoft.com/swedencentral/testfiles/root-key-test-update.txt). This exact file _must_ be used, because the Device Update service looks for the file hash at import time. The matching file hash in your import manifest should be: **KGyJ9tM6JSLHQq0gdKUmsVvB6Y4z0pMKdQNAd8jTGH0=**
33
+
34
+
1.[Create an update](create-update.md) for your testing. You can use any files you'd like, but you must also include the special test file in your import manifest. A best practice is for your update to change the device in a way that's easy to verify, like changing the version number of a file or adding a new file.
33
35
34
-
2.[Create an update](create-update.md) to test with. You can use any file(s) you'd like, but you must also include the special test file in your import manifest. It's recommended that your update change the devices in a way that's easy to verify later (such as changing the version number on a file, or adding a new file that wasn't on the device).
35
36
3. Import and deploy the update to your devices just like you normally would.
36
37
1. Verify that the update succeeded on your devices. If it did, your devices can receive updates signed with ADU.200703.R and are ready for the next rotation (or possible revocation).
37
38
38
39
> [!NOTE]
39
-
> It's strongly recommended to adopt Device Update Agent version 1.1.0 or later, which will automatically obtain all future root keys for your devices as needed, including during a revocation event.
40
+
> Adopting [Device Update Agent version 1.1.0 or later](https://github.com/Azure/iot-hub-device-update/releases) is strongly recommended, which will automatically obtain all future root keys for your devices as needed, including during a revocation event.
0 commit comments