OTA Unsigned binary after first one is signed, espota.py reports [INFO]: Result: OK but update fails on esp8266

[maribeiro]

I have signed a binary and uploaded via OTA - so next OTA updates should be signed.
Then tried to see if the esp8266 would accept an unsigned binary - it's expected that it should not accept.
So I uploaded via OTA an unsigned binary, and espota.py reported [INFO]: Result: OK
But it actually failed on the esp8266 side with Error[4]: End Failed
First: why is espota reporting OK if it failed?
And second, shouldn't the error on the esp side be UPDATE_ERROR_SIGN ?

• Hardware: ESP-12e
• Core Version: latest git hash
• Development Env: Arduino IDE && Platformio
• Operating System: Windows

I have used ArduinoOTA sketch for this tests.

[devyte]

@earlephilhower I seem to remember this was a choice to allow rollback. Is that correct?

[earlephilhower]

After digging through stuff, this is all in the ArduinoOTA, the BasicOTA sketch, and espota.py from what I can see and not a security risk as the Updater.cpp class is always rejecting invalid/unsigned bins.

In reverse order:

And second, shouldn't the error on the esp side be UPDATE_ERROR_SIGN ?

Updater (the guy who actually does the work) is returning UPDATE_ERROR_SIGN just fine. However, the ArduinoOTA class (wrapper which feeds Updater) doesn't define anything like SIGN_ERR and just returns ERROR_END when there's an error when calling Updater::end.

If we add a new error code from ArduinoOTA then existing apps may break/output incorrect error messages when a signing fails. Leaving that as-is, you get "Error End" which is correct, if not specific. @devyte , @d-a-v , thoughts?

First: why is espota reporting OK if it failed?

Arduino/tools/espota.py

Lines 190 to 195 in 41d271d

	connection.settimeout(60)
	while not received_ok:
	if connection.recv(32).decode().find('O') >= 0:
	# connection will receive only digits or 'OK'
	received_ok = True;
	logging.info('Result: OK')

Guess what happens when an OTA error happens...it sends "ERROR xxxx". That's got an O, so as far as espota cares it's "OK". D'oh!
edit: It's actually better than that. The received_ok var is set to True on every successful 1.4K chunk written to the ESP8266, but it is never reset to False. So the entire while loop is completely skipped and it jumps straight to the logging ok output!

I'll throw together a PR for the espota.py thing. The other bit, I think should leave as-is.

[devyte]

Agree with @earlephilhower. The behavior could be improved for the specific sign error, but if done it would have to be for next major.

[maribeiro]

Thank you very much for your time.
It's not an urgent thing to do , so take your time :)