This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Documentation on generating/using custom signing key for FOTA in nRF Connect SDK

Hello Nordic Team,

Over the course of development I have had to reverse engineer and pick apart various sources (DevZone, Google, Zephyr documentation, etc) in order to figure out how to properly generate and utilize a custom, private signing key for our FOTA images. I currently have a working solution but it feels more like a hack and as I frequently test on the master branch to prepare for upcoming changes, it appears that the method I am using is generating warnings.

My question is: is there any official documentation and/or guide on how to properly generate and sign images using a custom signing key and how that is integrated into a project (ie asset_tracker)?

I want to make sure that I am doing it right and that it is properly integrated into my project and build system.

Thanks,
Cody

0 Simon over 3 years ago

This should get done automatically, as mentioned in this ticket and in Signing Binaries, just make sure to set CONFIG_BOOTLOADER_MCUBOOT=y and CONFIG_MCUBOOT_SIGNATURE_KEY_FILE="path to your key" in prj.conf of your application. Then the files mentioned here should be generated.

Best regards,

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Cody over 3 years ago in reply to Simon

Hey @Simon,

Thanks for getting back to me. I ensured that the two configuration options were part of my projects prj.conf (CONFIG_BOOTLOADER_MCUBOOT and CONFIG_MCUBOOT_SIGNATURE_KEY_FILE). When I attempt to build the project, I get the following message...

CMake Warning at /ncs_v1.4/nrf/cmake/mcuboot.cmake:303 (message):
CONFIG_MCUBOOT_SIGNATURE_KEY_FILE is set to
"build/key/testkey/testkey-rsa-2048.pem".

You are using the NCS Mcuboot signing, which means this option will be
ignored.

Image signing in NCS is done via the MCUboot image's
CONFIG_BOOT_SIGNATURE_KEY_FILE option.

Consider setting CONFIG_MCUBOOT_SIGNATURE_KEY_FILE in your application
image back to its default value, the empty string.
Call Stack (most recent call first):
/ncs_v1.4/bootloader/mcuboot/zephyr/CMakeLists.txt:1 (include)

It looks like it relates to this commit here: https://github.com/nrfconnect/sdk-nrf/commit/45c9fbbc330ecd24eecd43c7dd0cfcdd4e93b8f4

The commit mentions the following...

"If partition manager is in use and there are multiple images, we want to make sure users understand this option should probably be left alone, since the NCS build system has its own way of managing signing."

Can you explain how the NCS build system has its own way of managing signing?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Simon over 3 years ago in reply to Cody

I'm sorry for the delay on this. I will look into it the next couple of days.

Best regards,

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Simon over 3 years ago in reply to Simon

I'm sorry for the delay on this. I have not looked into this topic (singing, keys, etc..) very much and I put off some time yesterday and today to get an overview of how all this works. I'm gradually getting a better understanding of this and will try to provide you with an answer soon.

Best regards,

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Simon over 3 years ago in reply to Simon

I provided an answer to your question in the ticket NCS recommended MCUboot enabled apps build and flash methods. Take a look at that and see if it answers all of your questions. If not, please tell me.

Best regards,

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel