diff --git a/.gitmodules b/.gitmodules
index 353ca2f92..7538561b3 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -16,8 +16,7 @@
 	branch = master
 [submodule "third_party/COSE-C/repo"]
 	path = third_party/COSE-C/repo
-	url = https://github.com/wgtdkp/COSE-C.git
-	branch = master
+	url = https://github.com/gocarlos/COSE-C.git
 [submodule "third_party/cn-cbor/repo"]
 	path = third_party/cn-cbor/repo
 	url = https://github.com/jimsch/cn-cbor.git
diff --git a/build.sh b/build.sh
new file mode 100755
index 000000000..bf9d419a8
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+rm -rf build
+mkdir build
+cd build && cmake .. && make $*
diff --git a/cmake-format.yaml b/cmake-format.yaml
new file mode 100644
index 000000000..8086dd480
--- /dev/null
+++ b/cmake-format.yaml
@@ -0,0 +1,20 @@
+# https://github.com/cheshirekow/cmake_format
+
+# usage:
+
+# pip install cmake_format --upgrade
+# ./scripts/format_cmake.sh
+
+# How wide to allow formatted cmake files
+line_width: 120
+
+# How many spaces to tab for indent
+tab_size: 2
+
+# Format command names consistently as 'lower' or 'upper' case
+command_case: "lower"
+
+first_comment_is_literal: False
+
+# enable comment markup parsing and reflow
+enable_markup: False
diff --git a/src/library/CMakeLists.txt b/src/library/CMakeLists.txt
index da0120c49..13d1b48d0 100644
--- a/src/library/CMakeLists.txt
+++ b/src/library/CMakeLists.txt
@@ -78,7 +78,7 @@ target_sources(commissioner
 target_link_libraries(commissioner
     PRIVATE
         cn-cbor::cn-cbor
-        cose
+        cose-c::cose-c
         mdns
         mbedtls
         mbedx509
@@ -112,7 +112,7 @@ install(TARGETS commissioner
 if (BUILD_SHARED_LIBS)
     install(FILES
                 $<TARGET_FILE:cn-cbor::cn-cbor>
-                $<TARGET_FILE:cose>
+                $<TARGET_FILE:cose-c::cose-c>
                 $<TARGET_FILE:mdns>
                 $<TARGET_FILE:mbedtls>
                 $<TARGET_FILE:mbedx509>
@@ -155,7 +155,7 @@ target_link_libraries(commissioner-test
     PRIVATE
         Catch2::Catch2
         cn-cbor::cn-cbor
-        cose
+        cose-c::cose-c
         mdns
         mbedtls
         mbedx509
diff --git a/src/library/cose.cpp b/src/library/cose.cpp
index daebb0499..f403beeb0 100644
--- a/src/library/cose.cpp
+++ b/src/library/cose.cpp
@@ -81,11 +81,11 @@ Error Sign1Message::Deserialize(Sign1Message &aCose, const ByteArray &aBuf)
 {
     Error       error = Error::kNone;
     int         type;
-    HCOSE_SIGN0 sign;
+    HCOSE_SIGN1 sign;
 
     VerifyOrExit(!aBuf.empty(), error = Error::kInvalidArgs);
-    sign = reinterpret_cast<HCOSE_SIGN0>(COSE_Decode(&aBuf[0], aBuf.size(), &type, COSE_sign0_object, nullptr));
-    VerifyOrExit(sign != nullptr && type == COSE_sign0_object, error = Error::kBadFormat);
+    sign = reinterpret_cast<HCOSE_SIGN1>(COSE_Decode(&aBuf[0], aBuf.size(), &type, COSE_sign1_object, nullptr));
+    VerifyOrExit(sign != nullptr && type == COSE_sign1_object, error = Error::kBadFormat);
 
     aCose.mSign = sign;
 
@@ -107,14 +107,14 @@ Error Sign1Message::Validate(const CborMap &aCborPublicKey)
 
 Error Sign1Message::Validate(const mbedtls_pk_context &aPubKey)
 {
-    Error                             error = Error::kNone;
-    const struct mbedtls_ecp_keypair *eckey;
+    Error                      error = Error::kNone;
+    const mbedtls_ecp_keypair *eckey;
 
     // Accepts only EC keys
     VerifyOrExit(mbedtls_pk_can_do(&aPubKey, MBEDTLS_PK_ECDSA), error = Error::kInvalidArgs);
     VerifyOrExit((eckey = mbedtls_pk_ec(aPubKey)) != nullptr, error = Error::kInvalidArgs);
 
-    VerifyOrExit(COSE_Sign0_validate_eckey(mSign, eckey, nullptr), error = Error::kSecurity);
+    VerifyOrExit(COSE_Sign1_validate_eckey(mSign, eckey, nullptr), error = Error::kSecurity);
 
 exit:
     return error;
@@ -128,7 +128,7 @@ Error Sign1Message::Sign(const mbedtls_pk_context &aPrivateKey)
     VerifyOrExit(mbedtls_pk_can_do(&aPrivateKey, MBEDTLS_PK_ECDSA), error = Error::kInvalidArgs);
     VerifyOrExit((eckey = mbedtls_pk_ec(aPrivateKey)) != nullptr, error = Error::kInvalidArgs);
 
-    VerifyOrExit(COSE_Sign0_Sign_eckey(mSign, eckey, nullptr), error = Error::kSecurity);
+    VerifyOrExit(COSE_Sign1_Sign_eckey(mSign, eckey, nullptr), error = Error::kSecurity);
 
 exit:
     return error;
diff --git a/src/library/cose.hpp b/src/library/cose.hpp
index fb2c8dbff..5aa54094a 100644
--- a/src/library/cose.hpp
+++ b/src/library/cose.hpp
@@ -40,7 +40,8 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#include <cose.h>
+#include "cbor.hpp"
+#include <cose/cose.h>
 #include <mbedtls/pk.h>
 
 #include <commissioner/defines.hpp>
@@ -109,7 +110,7 @@ class Sign1Message : public Object
 private:
     Error AddAttribute(int key, cn_cbor *value, int flags);
 
-    HCOSE_SIGN0 mSign;
+    HCOSE_SIGN1 mSign;
 };
 
 Error MakeCoseKey(ByteArray &aEncodedCoseKey, const mbedtls_pk_context &aKey, const ByteArray &aKeyId);
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
index e69de29bb..44b39198c 100644
--- a/tests/unit/CMakeLists.txt
+++ b/tests/unit/CMakeLists.txt
@@ -0,0 +1,75 @@
+#
+#  Copyright (c) 2019, The OpenThread Authors.
+#  All rights reserved.
+#
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#  1. Redistributions of source code must retain the above copyright
+#     notice, this list of conditions and the following disclaimer.
+#  2. Redistributions in binary form must reproduce the above copyright
+#     notice, this list of conditions and the following disclaimer in the
+#     documentation and/or other materials provided with the distribution.
+#  3. Neither the name of the copyright holder nor the
+#     names of its contributors may be used to endorse or promote products
+#     derived from this software without specific prior written permission.
+#
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+#  POSSIBILITY OF SUCH DAMAGE.
+#
+
+add_executable(commissioner-tests)
+
+target_sources(commissioner-tests
+    PRIVATE
+        main.cpp
+        test_address.cpp
+        test_coap_secure.cpp
+        test_coap.cpp
+        test_commissioner_impl.cpp
+        test_cose.cpp
+        test_dtls.cpp
+        test_json.cpp
+        test_mesh_local_addr.cpp
+        test_pskc.cpp
+        test_socket.cpp
+        test_token_manager.cpp
+)
+
+target_link_libraries(commissioner-tests
+    PRIVATE
+        cn-cbor::cn-cbor
+        cose-c::cose-c
+        mdns
+        mbedtls
+        mbedx509
+        mbedcrypto
+        pthread
+        fmt::fmt
+        event_core
+        event_pthreads
+        commissioner
+        commissioner-app
+        commissioner-common
+)
+
+target_include_directories(commissioner-tests
+    PRIVATE
+        ${PROJECT_SOURCE_DIR}/src/app
+        ${PROJECT_SOURCE_DIR}/src/library
+        ${PROJECT_SOURCE_DIR}/third_party/Catch2/repo/single_include
+)
+
+add_custom_target(test-commissioner
+    COMMAND ./commissioner-tests
+    DEPENDS commissioner-tests
+    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+)
diff --git a/third_party/CMakeLists.txt b/third_party/CMakeLists.txt
index 76d16f002..bbc102beb 100644
--- a/third_party/CMakeLists.txt
+++ b/third_party/CMakeLists.txt
@@ -27,17 +27,36 @@
 #
 
 add_subdirectory(Catch2/repo)
+add_subdirectory(mbedtls)
 
-set(CN_CBOR_FATAL_WARNINGS OFF CACHE BOOL "Disable -Werror and /W4")
-set(CN_CBOR_COVERALLS OFF CACHE BOOL "Disable generating coveralls data")
-set(CN_CBOR_BUILD_TESTS OFF CACHE BOOL "Disable compiling cbor tests")
+set(CN_CBOR_FATAL_WARNINGS
+    OFF
+    CACHE BOOL "Disable -Werror and /W4" FORCE)
+set(CN_CBOR_COVERALLS
+    OFF
+    CACHE BOOL "Disable generating coveralls data" FORCE)
+set(CN_CBOR_BUILD_TESTS
+    OFF
+    CACHE BOOL "Disable compiling cbor tests" FORCE)
 add_subdirectory(cn-cbor/repo)
 
-add_subdirectory(COSE-C)
+set(BUILD_SHARED_LIBS
+    OFF
+    CACHE BOOL "Disbale generating coveralls data")
+set(COSE_C_COVERALLS
+    OFF
+    CACHE BOOL "do not link gcov" FORCE)
+set(COSE_C_USE_FIND_PACKAGE
+    ON
+    CACHE BOOL "do not download packages" FORCE)
+set(COSE_C_USE_MBEDTLS
+    ON
+    CACHE BOOL "use mbedtls" FORCE)
+add_subdirectory(COSE-C/repo)
+
 add_subdirectory(fmtlib/repo)
 add_subdirectory(json/repo)
 
 add_subdirectory(libevent)
 
-add_subdirectory(mbedtls)
 add_subdirectory(mdns/repo)
diff --git a/third_party/COSE-C/CMakeLists.txt b/third_party/COSE-C/CMakeLists.txt
deleted file mode 100644
index ba200f76f..000000000
--- a/third_party/COSE-C/CMakeLists.txt
+++ /dev/null
@@ -1,72 +0,0 @@
-#
-#  Copyright (c) 2019, The OpenThread Authors.
-#  All rights reserved.
-#
-#  Redistribution and use in source and binary forms, with or without
-#  modification, are permitted provided that the following conditions are met:
-#  1. Redistributions of source code must retain the above copyright
-#     notice, this list of conditions and the following disclaimer.
-#  2. Redistributions in binary form must reproduce the above copyright
-#     notice, this list of conditions and the following disclaimer in the
-#     documentation and/or other materials provided with the distribution.
-#  3. Neither the name of the copyright holder nor the
-#     names of its contributors may be used to endorse or promote products
-#     derived from this software without specific prior written permission.
-#
-#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-#  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-#  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-#  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
-#  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-#  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-#  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-#  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-#  POSSIBILITY OF SUCH DAMAGE.
-#
-
-add_library(cose)
-
-target_sources(cose
-    PRIVATE
-        repo/src/bcrypt.c
-        repo/src/cbor.c
-        repo/src/cose_int.h
-        repo/src/Cose.c
-        repo/src/crypto.h
-        repo/src/Encrypt.c
-        repo/src/Encrypt0.c
-        repo/src/key.c
-        repo/src/MacMessage.c
-        repo/src/MacMessage0.c
-        repo/src/mbedtls.c
-        repo/src/openssl.c
-        repo/src/Recipient.c
-        repo/src/Sign.c
-        repo/src/Sign0.c
-        repo/src/SignerInfo.c
-)
-
-target_compile_definitions(cose
-    PUBLIC USE_MBED_TLS
-)
-
-target_compile_options(cose
-    PRIVATE
-        -std=gnu99
-        -Wall
-        -Wextra
-        -Wfatal-errors
-        -pedantic
-)
-
-target_link_libraries(cose
-    PUBLIC
-        cn-cbor
-        mbedtls
-)
-
-target_include_directories(cose
-    PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/repo/include
-)
diff --git a/third_party/COSE-C/repo b/third_party/COSE-C/repo
index 059e8f4db..a590f555b 160000
--- a/third_party/COSE-C/repo
+++ b/third_party/COSE-C/repo
@@ -1 +1 @@
-Subproject commit 059e8f4dbe9827ed89f6731e95052a5a1b79ed94
+Subproject commit a590f555b6c6bcd1882788162f0bd925ef0b0aea