• State Not Answered
  • Replies 2 replies
  • Subscribers 74 subscribers
  • Views 64 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 343924
Options

Application with MCUBoot and external signature

LukaWer

Hello everyone,

I'm working on a project based on the nRF52840, and I'm using nRF Connect SDK 2.9.0. The project uses MCUboot, but the firmware image is signed externally — outside of the build system. I'm looking for guidance on how to configure the project to disable automatic image signing during the build process. Specifically, I want to:

  1. Provide the public key to the MCUboot build process (so it can verify signatures). I do not have access to firmware private key.
  2. Prevent automatic image signing (image_signing.cmake) by the build system, as signing will be handled separately.

Any suggestions on the correct configuration for this setup?

  • 0

    Hi,

    Provide the public key to the MCUboot build process (so it can verify signatures). I do not have access to firmware private key.

    I got an example where I tried to do this. I last updated it for v2.5.2 or something like that, but the general method should still be the same:

    cp keys/test_pub.c build/mcuboot/zephyr/autogen-pubkey.c

    https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_manual_sign

    However, this does still need you to have access to the private key to sign your images. 

    Prevent automatic image signing (image_signing.cmake) by the build system, as signing will be handled separately.

    Here I got a sample that is built on https://github.com/mcu-tools/mcuboot/pull/1329. Sample:
    https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_detached_signature

    However, Im not sure I got the sample to work at that time.

    It might be easier for you to provide the signature manually. From MCUboot docs:

    "This signs the image by computing hash over the image, and then signing that hash. ... This signature is placed in the image trailer."

    If you watch this video in MCUboot flash layout, perhaps that helps.

    I hope this information can help you on your way.

    Let me know if you got any questions along the way!

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hi Sigurd,

    Thank you very much for the quick and detailed reply!

    I forgot to mention earlier that I’m using Sysbuild in my setup (NCS 2.9.0), so the example you shared doesn’t directly apply — although it’s still very helpful for understanding the general mechanism.

    My actual goal is to inject the public key via configuration, so that it gets included in the MCUboot build, without needing to manually place or modify SDK internals.

    I’ve been analyzing the build process in NCS, and unfortunately, it seems that disabling the automatic inclusion of image_signing.cmake is not currently supported. I’ve tried using SIGNING_SCRIPT and CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE, but neither had the desired effect. Even though I was able to inject the public key successfully using SB_CONFIG_BOOT_SIGNATURE_KEY_FILE, the build system still passes that key to imgtool in the post-build step, which then tries to sign the image and causes the west build to fail — since the private key is not available.

    To add some context: this configuration is being applied in a CI pipeline, where we don't have access to the private key — signing is handled externally, in a secure environment.

    Thanks again for sharing the links and information. It's been very helpful in understanding the flow.

    Best regards,

    Lukasz

Related
Terms of service