nrfutil package generation: avoiding security risks of saving signing key to disk

I am developing a Github CI pipeline to automatically compile, sign, and upload firmware images for a nRF52840 device.

Because I don't have direct control over the machine running Github's CI process, I want to avoid saving a `private_key.pem` file to disk just to sign the output.

I found an old PR (https://github.com/NordicSemiconductor/pc-nrfutil/issues/327) that describes this issue, and it appears that it was added to nrfutil.

However, I am having trouble using it.

I have tried saving the contents of my `private_key.pem` to an environment variable and passing them into nrfutil using process substitution, but it doesn't work properly. It looks like nrfutil is trying to find a file, instead of using the value of the variable I'm passing in.

nrfutil pkg generate --key-file <(echo $MY_PRIVATE_KEY)

Error: Invalid value for '--key-file': File '/dev/fd/63' does not exist.

What is the correct way to pass in a key-file that is not saved to disk?

Parents Reply Children
No Data
Related