In NCS v3.3.0 the signing of binaries fails when building the Non-Secure application (build with TF-M) in combination with XIP, split images and disabled partition manager:
SB_CONFIG_SECURE_BOOT_APPCORE=y
SB_CONFIG_BOOTLOADER_MCUBOOT=y
SB_CONFIG_QSPI_XIP_SPLIT_IMAGE=y
SB_CONFIG_PARTITION_MANAGER=n
SB_CONFIG_PM_EXTERNAL_FLASH_MCUBOOT_SECONDARY=n
It seems like b0_mcuboot_signing.cmake and image_signing_split.cmake do not take into account builds with tf-m. The signing script retrieves the header_size from CONFIG_ROM_START_OFFSET, however this kconfig is set to 0 when BUILD_WITH_TFM is selected. This causes defective signing.
Also, in image_signing_split.cmake the signing partition is taken from zephyr,code-partition property. This fails for TF-M builds, since it will point to slot0_ns_partition. Signing should however be done from the start of the tf-m partition (which is slot0_partition + CONFIG_TFM_MCUBOOT_HEADER_SIZE).
I also see that the signing for TF-M builds is fixed in the NCS v3.4.0 repository for b0_mcuboot_signing.cmake but not for image_signing_split.cmake.
