• State Verified Answer
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 184 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 338923
Options

Build with MCUBOOT and only provide public key

robertp

Hi

We have a third party that develops some of our products, and this third party does not release their source code. However, we would like to sign our binaries with a private key but that would require that MCUBOOT has the corresponding public key for things like FOTA to work if I understand things correctly. Is there a way for them to build their application with only a public key that we provide? We would like to keep this private key... well private and not release to this third party if possible. 

The config 

CONFIG_BOOT_SIGNATURE_KEY_FILE seems to be for private keys
Kind regards
Robert
Parents
  • 0

    Hello,

    I believe this is feasible. You can share the public key while keeping the private key secure with you. MCUBoot requires the public key to verify the signed application during the boot process. The public key is embedded into the bootloader binary during its build.

    The configuration parameter CONFIG_BOOT_SIGNATURE_KEY_FILE specifies the file containing the private key used for signing the binaries. This private key is not needed during the application build process but is required during the MCUBoot build process.

    Ensure the private key remains in your possession and use it to sign the final application binary. Third parties can provide you with unsigned application binaries, which you can then sign before distribution.

    See the section signature keys for generating keys using different tools.

    Kind Regards,

    Abhijith

  • 0 in reply to Menon

    Hi, thanks for the reply.

    Do you know how to embed the public key in the bootloader binary during or after build? I can't find any documentation about that. 

Reply Children
No Data
Related
Terms of service