https://devzone.nordicsemi.com/f/nordic-q-a/120900/signing-and-verifying-with-openssl-vs-nrfutilThe issue I&#39;m having is signature verification failing when I sign my firmware package and perform a DFU. I&#39;ve generated signing key pairs with the nrfutil CLI tool, signed a package, and performed a DFU successfully (following the bootloader exampleen-USTelligent Community 13Fri, 25 Apr 2025 15:46:00 GMThttps://devzone.nordicsemi.com/thread/533053?ContentTypeID=1Fri, 25 Apr 2025 15:46:00 GMT137ad170-7792-4731-bb38-c0d22fbe4515:41953d2f-9c58-43f5-91d1-57b3d9fab565Vidar Berg<p>Hi, please let me know if you have made any progress on this. I have not had enough time to investigate this further. Regarding endianess, at least the public key is split into R and S in the code. This is relevant if you need to swap the byte order of that key:&nbsp;&nbsp;<a href="https://devzone.nordicsemi.com/f/nordic-q-a/75260/ecdsa-with-nrfutil-generated-key/311211">RE: ECDSA with nrfutil generated key</a>&nbsp;&nbsp;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/532835?ContentTypeID=1Thu, 24 Apr 2025 13:11:16 GMT137ad170-7792-4731-bb38-c0d22fbe4515:b63a6645-4029-46ef-a841-346a7ac85d0dfwd159<p>Hi Vidar,</p> <p>Thanks for your reply!</p> <p>I have a feeling the issue is a matter of byte order.</p> <p>I did use the nrfutil repo (signing.py) as a reference while looking into nrfutil and OpenSSL. I ended up writing a short script to test&nbsp;the Python library that nrfutil uses (ecdsa) and the Python library our server uses (cryptography). I wanted to make sure without a doubt that it&#39;s possible to sign an Init packet with one library and verify the signature with the other. After a first attempt to sign something with nrfutil, I noticed it was failing its own verification! This is when I realized that the ecdsa Python library likely&nbsp;expects&nbsp;big-endian data, but for Nordic, the signature needs to be stored in the Init packet as little-endian.&nbsp;As long as the signature is in the right format, both libraries are able to verify the signatures.</p> <p>I&#39;m not sure if it matters, but I know when we make the API call to the server, the server response is base 64 encoded.</p> <p>I&#39;ve tried&nbsp;the byte order both ways for the signature and both ways still fail signature verification. Do you have any recommendations? Also,&nbsp;is the nrfutil verify function an accurate representation of the verification process that happens in the Bootloader during a DFU?</p> <p>Thanks</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/532746?ContentTypeID=1Thu, 24 Apr 2025 08:07:58 GMT137ad170-7792-4731-bb38-c0d22fbe4515:5b5377c1-b7fc-4f5f-b64b-d3341842d009Vidar Berg<p>Hello,</p> <p>Unfortunately, we do not have any samples demonstrating how you can sign the DFU init packet with openssl. The SDK documentation only explains how you can create the keypair with openssl. Did you&nbsp;use the&nbsp;<a href="https://github.com/NordicSemiconductor/pc-nrfutil/blob/master/nordicsemi/dfu/signing.py">https://github.com/NordicSemiconductor/pc-nrfutil/blob/master/nordicsemi/dfu/signing.py</a>&nbsp;implementation from nrfutil as a reference?&nbsp;</p> <p>This thread may also be relevant:&nbsp;<a href="https://devzone.nordicsemi.com/f/nordic-q-a/113154/aws-key-management-system---dfu-package-signing">AWS Key Management System - DFU Package Signing</a>&nbsp;</p> <p>Best regards,</p> <p>Vidar</p><div style="clear:both;"></div>