• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 74 subscribers
  • Views 1746 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 283242
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid private key with ed25519

MaLu

Hi,

I have an application for the nRF9160 where I want to use mcuboot and of course signing, but I get the following message while building, that my key file is invalid.

-- Found assembler: D:/work/nRF_Connect_SDK/v1.8.0/toolchain/opt/bin/arm-none-eabi-gcc.exe
MCUBoot bootloader key file: D:/work/nRF_Connect_SDK/devzone/hello_world1234/test_ed25519.pem
-- Configuring done
-- Generating done
-- Build files have been written to: D:/work/nRF_Connect_SDK/devzone/hello_world1234/build/mcuboot
=== child image mcuboot -  end ===

CMake Warning at D:\work\nRF_Connect_SDK\v1.8.0\nrf\modules\mcuboot\CMakeLists.txt:278 (message):
  Key file `D:/work/nRF_Connect_SDK/devzone/hello_world1234/test_ed25519.pem`
  does not contain a valid private key.  Signing of images will be disabled.


Disable signing with `CONFIG_SIGN_IMAGES=n` to silence this warning.

I generated this keyfile and with the imgtool.py and it looks as follows:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIIXfDZiyadNbgeTl1FjaPsSpYOsVy8/pF1MtYafCSFcw
-----END PRIVATE KEY-----

Now nothing gets signed and I get no app_update.bin file and everything that comes with it.

I have attached a sample application where I get this error, where I used the .conf files of my actual application (just to clarify why they are so overkill for a hello world program).

I am using nRF Connect SDK 1.8.0 and VSCode

1007.hello_world1234.zip

Thank you in advance.

EDIT: This also applies with the default keys (meaning not setting CONFIG_BOOT_SIGNATURE_KEY_FILE to anything specific).

- Found assembler: D:/work/nRF_Connect_SDK/v1.8.0/toolchain/opt/bin/arm-none-eabi-gcc.exe
MCUBoot bootloader key file: D:/work/nRF_Connect_SDK/v1.8.0/bootloader/mcuboot/root-ed25519.pem
-- Configuring done
-- Generating done
-- Build files have been written to: D:/work/nRF_Connect_SDK/devzone/hello_world1234/build/mcuboot
=== child image mcuboot -  end ===

CMake Warning at D:\work\nRF_Connect_SDK\v1.8.0\nrf\modules\mcuboot\CMakeLists.txt:255 (message):
  

        ---------------------------------------------------------
        --- WARNING: Using default MCUBoot key, it should not ---
        --- be used for production.                           ---
        ---------------------------------------------------------
        



CMake Warning at D:\work\nRF_Connect_SDK\v1.8.0\nrf\modules\mcuboot\CMakeLists.txt:278 (message):
  Key file
  `D:/work/nRF_Connect_SDK/v1.8.0/bootloader/mcuboot/root-ed25519.pem` does
  not contain a valid private key.  Signing of images will be disabled.


Disable signing with `CONFIG_SIGN_IMAGES=n` to silence this warning.
Dropping partition 'nrf_modem_lib_trace' since its size is 0.
-- Configuring done
-- Generating done
-- Build files have been written to: D:/work/nRF_Connect_SDK/devzone/hello_world1234/build

It appears, that this is ed25519 specific. RSA and ECDSA-P256 seem to work fine.

Only when going back to SDK 1.4.0 it seems to recognize the .pem file correctly and spit out a signed .bin file.

  • 0

    ou can use ssh-keygen to convert the key to the classic OpenSSH format:

    ssh-keygen -p -f file -m pem -P passphrase -N passphrase

    (if the key is not encrypted with a passphrase, use "" instead of passphrase)

    For Windows users: Note that ssh-keygen.exe is now built-in in Windows 10. And can be downloaded from the Microsoft Win32-OpenSSH project for older versions of Windows.

  • 0 in reply to sipan112

    Hi, thanks for the reply.

    PS D:\work\nRF_Connect_SDK\devzone\hello_world1234> ssh-keygen.exe -p -f .\test_ed25519.pem -m pem -P "" -N ""
Failed to load key .\\test_ed25519.pem: invalid format

    Does not seem to work with my ed25519 key file. Is this neccessary to do? As I said, in SDK Version 1.4.0, the exemplary .pem file created by the imgtool in my first post was enough to let the build run through.

  • 0

    Hi,

     

    I can confirm that I see the same behavior when selecting this in mcuboot:

    CONFIG_BOOT_SIGNATURE_TYPE_ED25519=y

    Which then prints:

    CMake Warning at /opt/ncs/nrf/modules/mcuboot/CMakeLists.txt:255 (message):
  

        ---------------------------------------------------------
        --- WARNING: Using default MCUBoot key, it should not ---
        --- be used for production.                           ---
        ---------------------------------------------------------
        



CMake Warning at /opt/ncs/nrf/modules/mcuboot/CMakeLists.txt:278 (message):
  Key file `/opt/ncs/bootloader/mcuboot/root-ed25519.pem` does not contain a
  valid private key.  Signing of images will be disabled.

    Unfortunately, I do not have a workaround at this time. I will report this internally.

     

    Kind regards,

    Håkon

  • +1 in reply to Håkon Alseth

    We have found the issue and created a pull-request with a proposed fix:

    https://github.com/nrfconnect/sdk-nrf/pull/6693

     

    Could you test it and see if this also fixes the issue on your end?

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi,

    I have changed the getpriv function to getpub and nowthe build procces runs without complaint. Seems to work.

    Thanks a bunch!

Related
Terms of service