signing zephyr images - west sign

Question

Currently, I am following guide of zephyr sample: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/README.html But when I build an app with: west build -b nrf52_pca10040 and then try to sign the build: west sign -t imgtool -- --key root-rsa-2048.pem like explained in the west sign doc: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/west/sign.html I get an error: === image configuration:
partition offset: 49152 (0xc000)
partition size: 204800 (0x32000)
text section offset: 0 (0x0)
=== signed binaries:
bin: /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Error: Invalid value for "-H" / "--header-size": Minimum value for -H/--header-size is 32
FATAL ERROR: command exited with status 2: /home/voja/.virtualenvs/zephyenv/bin/imgtool sign --version 0.0.0+0 --align 4 --header-size 0 --slot-size 204800 --key root-rsa-2048.pem /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.bin /home/voja/Documents/irnas/ncs/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/build/zephyr/zephyr.signed.bin 
 This is happening also with other apps. For example, tried doing it with hello_world sample, and got the same result. Before compiling I added CONFIG_BOOTLOADER_MCUBOOT=y to the prj.conf file. 
 my system: zephyr version: Booting Zephyr OS build v2.1.99-ncs1 nRF-Connect-SDK version v1.2.0 on the Ubuntu 18.04LTS 
 Do you know what might be a problem? Best regards, Vojislav.

shibshab · Accepted Answer

Vojislav said: Also, I would like to know more about what each bin and hex means: app_signed.hex (signed application ready for update) app_test_update.hex app_to_sign.bin app_update.bin app_moved_test_update.hex 
 These are all described here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs Most importantly, app_update.bin is the signed version of the application that should be used for DFU/FOTA purposes. " My next question is with which key (.pem) file is this app file signed?" The pem file used is the file configured in mcuboot. This file is specified by the kconfig option BOOT_SIGNATURE_KEY_FILE in the mcuboot image (note that you have to invoke "ninja mcuboot_menuconfig" to reach the configuration of the mcuboot image instead of your normal application menuconfig. " And if I flash merged.hex using jLink is that also signed with the same key?" Yes, all bootable images (only the app in your case) inside merged.hex are signed with that key. MCUBoot only support one key. "Can you recommend me a please where I can read more about this?" As already mentioned - https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/mcuboot/readme-ncs.html#mcuboot-ncs Also you have https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/scripts/partition_manager/partition_manager.html#hex-files explaining how merging of files work. "For me problem with the current build is that I can not use app_signed.hex with nRF Connect Android App because this app requires .bin format. I am able to do an update using app_update.bin file, but I cannot use app_signed.hex" As stated above, the slightly badly named app_update.bin is the correct signed version. To avoid problems you should stick to using the automatically signed binaries/hexes and avoid using the west sign command as this is only useful for non-NCS users which does not have the benefit of automatic signing.

signing zephyr images - west sign

Top Replies