nrfutil package generation: avoiding security risks of saving signing key to disk

RE: nrfutil package generation: avoiding security risks of saving signing key to disk

Amanda Hsieh — Thu, 14 Nov 2024 13:51:19 GMT

Using named pipes could work in this situation:

mkfifo temporary_pipe
echo $MY_PRIVATE_KEY > temporary_pipe &
nrfutil pkg generate --key-file temporary_pipe
rm temporary_pipe

Data in named pipes are not stored on disk.

RE: nrfutil package generation: avoiding security risks of saving signing key to disk

cfernandezruns — Wed, 13 Nov 2024 15:24:35 GMT

That's disappointing, but thank you for the clarification.

RE: nrfutil package generation: avoiding security risks of saving signing key to disk

Amanda Hsieh — Wed, 13 Nov 2024 15:03:26 GMT

Hi,

The nrfutil only supports the file as a path and not process substitution.

Process substitution allows the output of a command (in this case, echo "$MY_PRIVATE_KEY") to be treated as if it were a file. This file-like object is represented as a special file descriptor (like /dev/fd/63), which can then be passed as an argument to programs that expect a file path.

Your usage is out of the scope of what we deliver. This is more of a generic Unix knowledge thing and not related to our tools. The only correct way is to provide a file path.

Regards,
Amanda H.