https://devzone.nordicsemi.com/f/nordic-q-a/117995/build-with-mcuboot-and-only-provide-public-keyHi We have a third party that develops some of our products, and this third party does not release their source code. However, we would like to sign our binaries with a private key but that would require that MCUBOOT has the corresponding public keyen-USTelligent Community 13Mon, 13 Jan 2025 15:08:46 GMThttps://devzone.nordicsemi.com/thread/518192?ContentTypeID=1Mon, 13 Jan 2025 15:08:46 GMT137ad170-7792-4731-bb38-c0d22fbe4515:078bcf98-d730-4e4e-b708-70ca7e872036Menon<p>Hello,</p> <p>Please <a href="https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_manual_sign#:~:text=Initially%20build%20the%20sample%20to%20generate%20a%20build%20folder.%20The%20private%20key%20in%20%22child_image/mcuboot/tmp_priv.pem%22%20is%20not%20important%20here.%20Copy%20the%20test_pub.c%20into%20mcuboot.%20This%20will%20make%20it%20use%20your%20key%20instead%20of%20the%20one%20generated%20from%20child_image/mcuboot/tmp_priv.pem%3A">take a look at this sample,</a> which showcases manual signing. Kindly use this repository only for reference, as it is outdated and not maintained according to the current NCS version.</p> <p>I hope this will serve your purpose.</p> <p>Kind regards,<br />Abhijith</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/518184?ContentTypeID=1Mon, 13 Jan 2025 14:46:56 GMT137ad170-7792-4731-bb38-c0d22fbe4515:6ffc0214-8103-4e51-b8b8-aff5bf342e6drobertp<p>Hi, thanks for the reply.</p> <p>Do you know how to embed the public key in the bootloader binary during or after build? I can&#39;t find any documentation about that.&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/518181?ContentTypeID=1Mon, 13 Jan 2025 14:37:10 GMT137ad170-7792-4731-bb38-c0d22fbe4515:0a714494-4ff2-4336-8601-9281a8064da8Menon<p>Hello,</p> <p>I believe this is feasible. You can share the public key while keeping the private key secure with you. MCUBoot requires the public key to verify the signed application during the boot process. The public key is embedded into the bootloader binary during its build.</p> <p>The configuration parameter <a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html#CONFIG_BOOT_SIGNATURE_KEY_FILE">CONFIG_BOOT_SIGNATURE_KEY_FILE</a>&nbsp;specifies the file containing the private key used for signing the binaries. This private key is not needed during the application build process but is required during the MCUBoot build process.</p> <p>Ensure the private key remains in your possession and use it to sign the final application binary. Third parties can provide you with unsigned application binaries, which you can then sign before distribution.</p> <p>See the section <a href="https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/app_dev/bootloaders_dfu/mcuboot_nsib/bootloader_signature_keys.html">signature keys </a>for generating keys using different tools.</p> <p>Kind Regards,</p> <p>Abhijith</p><div style="clear:both;"></div>