signing zephyr images - west sign

Currently, I am following guide of zephyr sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/README.html

But when I build an app with: west build -b nrf52_pca10040
and then try to sign the build: west sign -t imgtool -- --key root-rsa-2048.pem
like explained in the west sign doc:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/west/sign.html

I get an error:

=== image configuration:
partition offset: 49152 (0xc000)
partition size: 204800 (0x32000)
text section offset: 0 (0x0)
=== signed binaries:
bin: /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Invalid value for "-H" / "--header-size": Minimum value for -H/--header-size is 32
FATAL ERROR: command exited with status 2: /home/voja/.virtualenvs/zephyenv/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key root-rsa-2048.pem /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.bin /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin

This is happening also with other apps. For example, tried doing it with hello_world sample, and got the same result. Before compiling I added CONFIG_BOOTLOADER_MCUBOOT=y to the prj.conf file.

my system:
zephyr version: Booting Zephyr OS build v2.1.99-ncs1
nRF-Connect-SDK version v1.2.0 on the Ubuntu 18.04LTS


Do you know what might be a problem?

Best regards,
Vojislav.

Top Replies

  • Also, I would like to know more about what each bin and hex means:
    app_signed.hex (signed application ready for update)
    app_test_update.hex
    app_to_sign.bin
    app_update.bin
    app_moved_test_update…
Parents
  • Hi Vojislav,

    First of all, you should not need to do this manually, since the partition manager should sign the application automatically when you have used CONFIG_BOOTLOADER_MCUBOOT and generates the app_signed.hex. That said, it looks like you need to specify the header size, so you could try:

    west sign -t imgtool -- --key root-rsa-2048.pem -H 32

    Einar

  • Also, I would like to know more about what each bin and hex means:
    app_signed.hex (signed application ready for update)
    app_test_update.hex
    app_to_sign.bin
    app_update.bin
    app_moved_test_update.hex

    These are all described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs 
    Most importantly, app_update.bin is the signed version of the application that should be used for DFU/FOTA purposes.

    "My next question is with which key (.pem) file is this app file signed?"

    The pem file used is the file configured in mcuboot. This file is specified by the kconfig option BOOT_SIGNATURE_KEY_FILE in the mcuboot image (note that you have to invoke "ninja mcuboot_menuconfig" to reach the configuration of the mcuboot image instead of your normal application menuconfig.

    "And if I flash merged.hex using jLink is that also signed with the same key?"

    Yes, all bootable images (only the app in your case) inside merged.hex are signed with that key. MCUBoot only support one key.

    "Can you recommend me a please where I can read more about this?"

    As already mentioned - https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs
    Also you have https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/partition_manager/partition_manager.html#hex-files explaining how merging of files work.

    "For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex"

    As stated above, the slightly badly named app_update.bin is the correct signed version.

    To avoid problems you should stick to using the automatically signed binaries/hexes and avoid using the west sign command as this is only useful for non-NCS users which does not have the benefit of automatic signing.

Reply Children
Related