• State Not Answered
  • Replies 3 replies
  • Subscribers 68 subscribers
  • Views 100 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 335973
Options

nrfutil package generation: avoiding security risks of saving signing key to disk

cfernandezruns

I am developing a Github CI pipeline to automatically compile, sign, and upload firmware images for a nRF52840 device.

Because I don't have direct control over the machine running Github's CI process, I want to avoid saving a `private_key.pem` file to disk just to sign the output.

I found an old PR (https://github.com/NordicSemiconductor/pc-nrfutil/issues/327) that describes this issue, and it appears that it was added to nrfutil.

However, I am having trouble using it.

I have tried saving the contents of my `private_key.pem` to an environment variable and passing them into nrfutil using process substitution, but it doesn't work properly. It looks like nrfutil is trying to find a file, instead of using the value of the variable I'm passing in.

nrfutil pkg generate --key-file <(echo $MY_PRIVATE_KEY)

Error: Invalid value for '--key-file': File '/dev/fd/63' does not exist.

What is the correct way to pass in a key-file that is not saved to disk?

Parents
  • 0

    Hi, 

    The nrfutil only supports the file as a path and not process substitution.

    Process substitution allows the output of a command (in this case, echo "$MY_PRIVATE_KEY") to be treated as if it were a file. This file-like object is represented as a special file descriptor (like /dev/fd/63), which can then be passed as an argument to programs that expect a file path.

    Your usage is out of the scope of what we deliver. This is more of a generic Unix knowledge thing and not related to our tools.  The only correct way is to provide a file path.

    Regards,
    Amanda H.

Reply
  • 0

    Hi, 

    The nrfutil only supports the file as a path and not process substitution.

    Process substitution allows the output of a command (in this case, echo "$MY_PRIVATE_KEY") to be treated as if it were a file. This file-like object is represented as a special file descriptor (like /dev/fd/63), which can then be passed as an argument to programs that expect a file path.

    Your usage is out of the scope of what we deliver. This is more of a generic Unix knowledge thing and not related to our tools.  The only correct way is to provide a file path.

    Regards,
    Amanda H.

Children
Related