Application with MCUBoot and external signature

Hello everyone,

I'm working on a project based on the nRF52840, and I'm using nRF Connect SDK 2.9.0. The project uses MCUboot, but the firmware image is signed externally — outside of the build system. I'm looking for guidance on how to configure the project to disable automatic image signing during the build process. Specifically, I want to:

  1. Provide the public key to the MCUboot build process (so it can verify signatures). I do not have access to firmware private key.
  2. Prevent automatic image signing (image_signing.cmake) by the build system, as signing will be handled separately.

Any suggestions on the correct configuration for this setup?

Parents Reply Children
  • Hi Sigurd,

    Thank you very much for the quick and detailed reply!

    I forgot to mention earlier that I’m using Sysbuild in my setup (NCS 2.9.0), so the example you shared doesn’t directly apply — although it’s still very helpful for understanding the general mechanism.

    My actual goal is to inject the public key via configuration, so that it gets included in the MCUboot build, without needing to manually place or modify SDK internals.

    I’ve been analyzing the build process in NCS, and unfortunately, it seems that disabling the automatic inclusion of image_signing.cmake is not currently supported. I’ve tried using SIGNING_SCRIPT and CONFIG_MCUBOOT_GENERATE_UNSIGNED_IMAGE, but neither had the desired effect. Even though I was able to inject the public key successfully using SB_CONFIG_BOOT_SIGNATURE_KEY_FILE, the build system still passes that key to imgtool in the post-build step, which then tries to sign the image and causes the west build to fail — since the private key is not available.

    To add some context: this configuration is being applied in a CI pipeline, where we don't have access to the private key — signing is handled externally, in a secure environment.

    Thanks again for sharing the links and information. It's been very helpful in understanding the flow.

    Best regards,

    Lukasz

  • Sigurd Hellesvik said:
    However, Im not sure I got the sample to work at that time.

    I see in the PR that I say

    and from this it does look like I got that working after all.

    LukaWer said:
    My actual goal is to inject the public key via configuration, so that it gets included in the MCUboot build, without needing to manually place or modify SDK internals.

    From what I can find, this is not supported out of the box.
    I think the pubkey is generated in CMakeListst.txt for MCUboot.
    If you want, you can for example add a new Kconfig symbol and then do an "if/else" here to use your public key instead generating it here, I think.

    LukaWer said:
    To add some context: this configuration is being applied in a CI pipeline, where we don't have access to the private key — signing is handled externally, in a secure environment.

    Yes, this is why the PR I linked below lets you take in just the signature.
    On the same topic, I found this git issue as well: https://github.com/mcu-tools/mcuboot/issues/1519. Did not look that close at it, but it seems relevant "I have been trying to move my project over from being signed by a local signing key to an external signing service."

Related