NCS 3.0.2 MCUboot link error: undefined reference to rsa_pub_key / rsa_pub_key_len (works on NCS 2.4.2)

Environment

• NCS: v3.0.2 (Zephyr 4.0.99)

• Toolchain: Zephyr SDK 0.17.0 (arm-zephyr-eabi gcc 12.2)

• West: 1.2.0

• Building via nRF Connect / sysbuild

• Board: custom nRF52840 (project also builds fine on NCS 2.4.2)

Issue Summary:
I’m facing an issue with mcuboot in NCS 3.0.2. Initially, I started getting undefined reference to rsa_pub_key and rsa_pub_key_len during the build. To resolve this, I checked mcuboot_config.h and saw that only 2048 and 3072 bit RSA keys are supported. I then tried adding CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN=2048 in sysbuild.conf, but got this warning instead:

warning: attempt to assign the value '2048' to the undefined symbol BOOT_SIGNATURE_TYPE_RSA_LEN

sysbuild.conf:

SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_PARTITION_MANAGER=y
# SB_CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y
# SB_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=y
SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y
# SB_CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN=2048
SB_CONFIG_BOOT_SIGNATURE_KEY_FILE="D://Development//Repo//BLE_firmware_nRF//signature//infinity.pem"

# Incresed stack due to settings API usage
# CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=8192

CONFIG_BT=y
# CONFIG_BT_LL_SOFTDEVICE=n

# Enable Bluetooth Controller
CONFIG_BT_CTLR=y
CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL=y

CONFIG_CLOCK_CONTROL_NRF_K32SRC_RC=y

CONFIG_BT_CTLR_TX_PWR_PLUS_8=y

# Enable SMP Server
CONFIG_MCUMGR=y
CONFIG_MCUMGR_GRP_IMG=y

# CONFIG_MCUMGR_GRP_IMG dependencies
CONFIG_IMG_MANAGER=y

# CONFIG_IMG_MANAGER dependencies
CONFIG_STREAM_FLASH=y

# CONFIG_MCUMGR dependencies
CONFIG_NET_BUF=y
CONFIG_ZCBOR=y

# Ensure an MCUboot-compatible binary is generated.
CONFIG_BOOTLOADER_MCUBOOT=y

CONFIG_BT_PERIPHERAL=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SCAN=y
CONFIG_BT_SCAN_FILTER_ENABLE=y
CONFIG_BT_SCAN_UUID_CNT=1
CONFIG_BT_GATT_DM=y
CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DYNAMIC_DB=y

CONFIG_BT_DEVICE_NAME="SB PINPAD"
CONFIG_BT_DEVICE_APPEARANCE=833
CONFIG_BT_DEVICE_NAME_DYNAMIC=n

# check if we need this
CONFIG_BT_SETTINGS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y

# for LittleFS
CONFIG_FILE_SYSTEM=y
CONFIG_FILE_SYSTEM_LITTLEFS=y

#  Enable loging 
# IMPORTANT -> THIS MUST BE COMMENTED OUT DURING PRODUCTION
# CONFIG_LOG=y
CONFIG_SERIAL=y
CONFIG_CONSOLE=y
CONFIG_UART_CONSOLE=y
# CONFIG_LOG_DEFAULT_LEVEL=3
# CONFIG_LOG_MODE_IMMEDIATE=y

CONFIG_BT_CREATE_CONN_TIMEOUT=10
CONFIG_BT_CONN_PARAM_UPDATE_TIMEOUT=10000
CONFIG_BT_CONN_PARAM_RETRY_COUNT=6
CONFIG_BT_CONN_PARAM_RETRY_TIMEOUT=10000
CONFIG_BASE64=y

CONFIG_BT_L2CAP_TX_MTU=251
CONFIG_BT_BUF_ACL_RX_SIZE=256
CONFIG_BT_BUF_ACL_TX_SIZE=256
CONFIG_BT_PHY_UPDATE=n

CONFIG_BT_BUF_ACL_RX_COUNT=4
CONFIG_BT_BUF_ACL_TX_COUNT=4
CONFIG_BT_MAX_CONN=4

# Enable ADC for temp & Battery status
CONFIG_ADC=y

# Power Management
CONFIG_PM=y
CONFIG_PM_DEVICE=y


CONFIG_REBOOT=y
CONFIG_BT_DIS=y
# CONFIG_BT_DIS_MANUF="SwipBox International A/S"
# CONFIG_BT_DIS_MODEL="Infinity PINpad"
CONFIG_BT_DIS_PNP=n

CONFIG_BT_DIS_FW_REV=y
CONFIG_BT_DIS_FW_REV_STR="1.0.3"         

CONFIG_BT_DIS_HW_REV=y
CONFIG_BT_DIS_HW_REV_STR="1"

CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=n

CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_CRYPTO=y
CONFIG_MBEDTLS=y

# Enable nordic security backend and PSA APIs
CONFIG_NRF_SECURITY=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# Algorithms
CONFIG_PSA_WANT_ALG_SHA_256=y

# Define key size
CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y

# Mbedtls configuration
CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_MCUMGR_TRANSPORT_BT=y
CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW=n
CONFIG_MCUMGR_TRANSPORT_BT_CONN_PARAM_CONTROL=y
# CONFIG_MCUMGR_TRANSPORT_UART=y
CONFIG_NCS_SAMPLE_MCUMGR_BT_OTA_DFU=y

# Enable the mcumgr Packet Reassembly feature over Bluetooth and its configuration dependencies.
# MCUmgr buffer size is optimized to fit one SMP packet divided into five Bluetooth Write Commands,
# transmitted with the maximum possible MTU value: 498 bytes.
CONFIG_MCUMGR_TRANSPORT_BT_REASSEMBLY=y
CONFIG_MCUMGR_GRP_OS_MCUMGR_PARAMS=y

CONFIG_THREAD_NAME=y

#32KB
CONFIG_MAIN_STACK_SIZE=27648

#18KB
CONFIG_HEAP_MEM_POOL_SIZE=18432 

#8KB
CONFIG_MBEDTLS_HEAP_SIZE=7168

#5KB
CONFIG_FS_LITTLEFS_FC_HEAP_SIZE=5120

#8KB
CONFIG_BT_RX_STACK_SIZE=9216

#4KB
CONFIG_BT_HCI_TX_STACK_SIZE=5120

CONFIG_DISABLE_FLASH_PATCH=y

# CONFIG_MCUMGR_SMP_BT=y
# CONFIG_BT_DFU_SMP=y

# SMP GATT service registration
CONFIG_MCUMGR_TRANSPORT_BT_DYNAMIC_SVC_REGISTRATION=y

For context, I was using this same RSA signature setup in NCS 2.4.2 without any issue. Can someone clarify what’s changed in NCS 3.0.2, and also confirm if it’s possible to still use a 1024-bit RSA key with mcuboot in this version?

Thanks.