Decouple MCUBoot public key storage and image signing (nrf9160 + MCUBoot)


I'm investigating firmware image signing on the nrf9160 using MCUBoot and the nRF Connect SDK v17. I have configured 


and it seems to work via `west build  -b nrf9160dk_nrf9160ns -s myapp`

For production however I don't want to keep my private "key.pem" on the build machine. I'd like to decouple things so my build server produces the firmware image, and then makes a remote call to a signing server that has the private key, signs the image, and returns it.

I can't figure out how to decouple this. My understanding is that "CONFIG_MCUBOOT_SIGNATURE_KEY_FILE" expects the path to the *private* key, from which the build system will:

1. Generate the *public* key from the *private* key

2. Embed the *public* key in the bootloader.

3. Sign the firmware with the *private* key.

Is that right? I think I am looking for a way to *not* provide the private key to the build system at all. Instead I want to specify something like "PUBLIC_KEY_FILE=/path/to/public.pem" and simply embed that in the bootloader, and skip all the signing steps, leaving that to us.

Thanks for any advice,


  • It does not seem like this is supported at the moment, but you should be able to achieve this by modifying NCS

    How it currently works

    • Assume the following command is used to build the project 

    west build -b nrf52dk_nrf52840 hello_world -- -DCONFIG_BOOTLOADER_MCUBOOT=y -Dmcuboot_CONFIG_BOOT_SIGNATURE_KEY_FILE=\"mcuboot_private.pem\" -Dmcuboot_CONFIG_BOOT_ENCRYPT_RSA=n -Dmcuboot_CONFIG_BOOT_SIGNATURE_TYPE_RSA=y -Dmcuboot_CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256=n

    How to modify it to get signed externally

    • In nrf/modules/mcuboot/CMakeLists.txt, modify sign_cmd, and use a custom python script instead of The custom python script should connect to the server, provide it with the bin/hex file and get the signed file in return.
    • In bootloader/mcuboot/boot/zephyr/CMakeLists.txt, modify these lines. Use a custom python script, that will get the public key from the application folder and generate autogen-pubkey.c

    I am by no means an expert on CMake, and it will probably be more difficult to implement this than described above. But now you know how it works and where stuff happens, and what files you need to modify

    Best regards,