MCUBoot - Firmware signature looks different at each build

Hi,

We are developing on an NRF9160 using the NRF Connect SDK v1.6.1. (The project started two years earlier).
We have set up a CI to ensure the integrity of the generated firmwares.

We use MCUBoot (v1.7.99) as a bootloader and we noticed
that two builds of the same firmware generate two different firmware signatures.
Indeed, during two builds:
- `app_to_sign.bin` are identical on both builds
- `app_update.bin` and `app_signed.hex` differ.

Analyzing the two `app_signed.hex`, we realize that the area in question is the TLV zone that includes the signature keys and firmware hashes, which is attached to the end of the firmwares.
The below screenshot highlight the differences between both `app_signed.hex`.

We don't understand the reasons for this behavior and we wish to fix it to allow us to regenerate an identical binary if there is a need to replay a pipeline from the CI.

Could you explain this to us and possibly see how to limit it?

Thank you in advance,

Regards,

Benjamin V.

Parents Reply Children
Related