• State Not Answered
  • Replies 3 replies
  • Subscribers 86 subscribers
  • Views 330 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351908
Options

MCUboot imgtool CLI verify works, but direct Python script fails with key type mismatch when using public key

MTB

Hi,
I'm working with multiple versions of the nRF Connect SDK (v2.8.0, v3.0.0, v3.1.0) using the official VS Code integration on Windows and could verify this also on Ubuntu. I'm running into a strange issue when verifying signed firmware images using MCUboot's imgtool and the public key.

When I use the CLI version of imgtool (available in the PATH in some terminal profiles), verification works fine:

imgtool verify -k pub.pem app.signed.bin

But when I run the same verification using the Python script directly:

python C:\ncs\<toolchain-id>\bootloader\mcuboot\scripts\imgtool.py verify -k pub.pem app.signed.bin

I get the error:
Key type does not match TLV record

Using the private key for verificvation works in both instances.

The bootloader script requirements are installed. Both methods report the same version (2.1.0) for the imgtool and use the same Python interpreter from the toolchain (C:\ncs\toolchains\<toolchain-id>\opt\bin\python.exe). The cryptography package version is also the same (43.0.1). T

So far, this behavior is consistent across SDK versions and toolchains. The CLI version works, the direct script call fails. I suspect the CLI version might be wrapped or configured differently, but I can't find any documentation on this.

Also, I noticed that in the latest toolchain (SDK v3.1.0 with toolchain 3.1.0), the CLI version of imgtool is not available in the PATH by default, and I couldn't locate it in the toolchain folder either.

Can someone explain why the CLI and script behave differently, and whether the CLI version is intentionally excluded from newer toolchains? Is there a recommended way to enable it in VS Code terminal profiles?

Thanks in advance.

Best Regards
Marvin

  • 0

    Hi Marvin, 

    I don't think we use imgtool.exe at all in our SDK and it's removed at one point. 

    Please double check if you have the file pub.pem located in the same folder as the imgtool.exe file. 
    I suspect that you actually have 2 different files with the same pub.pem name located in 
    \toolchains\XXX\opt\bin\Scripts
    and in \NCSSDK\bootloader\mcuboot\scripts\

  • 0 in reply to Hung Bui

    Hi,

    thanks for your reply. 

    I usually use absolute path to the signing key, so maybe I shortened to much in my initial explanation. So the actual steps I use to reproduce the problem from a VS Code terminal profile is as follows:

    Working directory: C:\Users\XxXx
SDK:               nRF Connect SDK v2.8.0
Toolchain:         nRF Connect SDK Toolchain v2.8.0

PS C:\Users\XxXx> cd C:\
PS C:\> python "C:\ncs\v2.8.0\bootloader\mcuboot\scripts\imgtool.py" verify --key "D:\pub_test.pem" "D:\app.signed.bin"
Key type does not match TLV record
PS C:\> python "C:\ncs\v2.8.0\bootloader\mcuboot\scripts\imgtool.py" verify --key "D:\priv_test.pem" "D:\app.signed.bin"
Image was correctly validated
Image version: 0.30.1+0
Image digest: f8bc66f833c09ed59cd0bd48cf8c365836684fe52734cc6088047d175ede9150
PS C:\> imgtool  verify --key "D:\pub_test.pem" "D:\app.signed.bin"                                                     
Image was correctly validated
Image version: 0.30.1+0
Image digest: f8bc66f833c09ed59cd0bd48cf8c365836684fe52734cc6088047d175ede9150
PS C:\> imgtool  verify --key "D:\priv_test.pem" "D:\app.signed.bin"
Image was correctly validated
Image version: 0.30.1+0
Image digest: f8bc66f833c09ed59cd0bd48cf8c365836684fe52734cc6088047d175ede9150
PS C:\>

    In the example I use ncs v2.8 to show that the imgtool.exe is working. In ncs v3.1 the same behaviour is present for the python call of the script. 
    Neither in "\toolchains\XXX\opt\bin\Scripts" nor in "\NCSSDK\bootloader\mcuboot\scripts\" a .pem file is present

    Sorry for the confusion

  • 0 in reply to MTB

    Hello,

    I investigated this a bit futher and it seems the issue is already solved in the main branch of mcuboot/sdk_mcuboot by following commit scripts: imgtool: Add hash for ECDSA256P1Public · nrfconnect/sdk-mcuboot@1ed0218

    So I assume it will be in a ncs release soon.

    Thanks

Related
Terms of service