Application with MCUBoot and external signature

Hi,

Provide the public key to the MCUboot build process (so it can verify signatures). I do not have access to firmware private key.

I got an example where I tried to do this. I last updated it for v2.5.2 or something like that, but the general method should still be the same:

cp keys/test_pub.c build/mcuboot/zephyr/autogen-pubkey.c

https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_manual_sign

However, this does still need you to have access to the private key to sign your images. 

Prevent automatic image signing (image_signing.cmake) by the build system, as signing will be handled separately.

Here I got a sample that is built on https://github.com/mcu-tools/mcuboot/pull/1329. Sample:
https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_detached_signature

However, Im not sure I got the sample to work at that time.

It might be easier for you to provide the signature manually. From MCUboot docs:

"This signs the image by computing hash over the image, and then signing that hash. ... This signature is placed in the image trailer."

If you watch this video in MCUboot flash layout, perhaps that helps.

I hope this information can help you on your way.

Let me know if you got any questions along the way!

Regards,
Sigurd Hellesvik

Hi,

Provide the public key to the MCUboot build process (so it can verify signatures). I do not have access to firmware private key.

I got an example where I tried to do this. I last updated it for v2.5.2 or something like that, but the general method should still be the same:

cp keys/test_pub.c build/mcuboot/zephyr/autogen-pubkey.c

https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_manual_sign

However, this does still need you to have access to the private key to sign your images. 

Prevent automatic image signing (image_signing.cmake) by the build system, as signing will be handled separately.

Here I got a sample that is built on https://github.com/mcu-tools/mcuboot/pull/1329. Sample:
https://github.com/hellesvik-nordic/samples_for_nrf_connect_sdk/tree/main/bootloader_samples/keys_and_signatures/mcuboot_detached_signature

However, Im not sure I got the sample to work at that time.

It might be easier for you to provide the signature manually. From MCUboot docs:

"This signs the image by computing hash over the image, and then signing that hash. ... This signature is placed in the image trailer."

If you watch this video in MCUboot flash layout, perhaps that helps.

I hope this information can help you on your way.

Let me know if you got any questions along the way!

Regards,
Sigurd Hellesvik

Hi Sigurd,

Thank you very much for the quick and detailed reply!

I forgot to mention earlier that I’m using Sysbuild in my setup (NCS 2.9.0), so the example you shared doesn’t directly apply — although it’s still very helpful for understanding the general mechanism.

My actual goal is to inject the public key via configuration, so that it gets included in the MCUboot build, without needing to manually place or modify SDK internals.

I’ve been analyzing the build process in NCS, and unfortunately, it seems that disabling the automatic inclusion of image_signing.cmake is not currently supported. I’ve tried using SIGNING_SCRIPT and CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE, but neither had the desired effect. Even though I was able to inject the public key successfully using SB_CONFIG_BOOT_SIGNATURE_KEY_FILE, the build system still passes that key to imgtool in the post-build step, which then tries to sign the image and causes the west build to fail — since the private key is not available.

To add some context: this configuration is being applied in a CI pipeline, where we don't have access to the private key — signing is handled externally, in a secure environment.

Thanks again for sharing the links and information. It's been very helpful in understanding the flow.

Best regards,

Lukasz

Sigurd Hellesvik said:

However, Im not sure I got the sample to work at that time.

I see in the PR that I say

and from this it does look like I got that working after all.

LukaWer said:

My actual goal is to inject the public key via configuration, so that it gets included in the MCUboot build, without needing to manually place or modify SDK internals.

From what I can find, this is not supported out of the box.
I think the pubkey is generated in CMakeListst.txt for MCUboot.
If you want, you can for example add a new Kconfig symbol and then do an "if/else" here to use your public key instead generating it here, I think.

LukaWer said:

To add some context: this configuration is being applied in a CI pipeline, where we don't have access to the private key — signing is handled externally, in a secure environment.

Yes, this is why the PR I linked below lets you take in just the signature.
On the same topic, I found this git issue as well: https://github.com/mcu-tools/mcuboot/issues/1519. Did not look that close at it, but it seems relevant "I have been trying to move my project over from being signed by a local signing key to an external signing service."