Siging image for OTA DFU

Hi all,

Inherited a nRF Connect 1.5 project developed under Linux and I'm trying to get everything set up for continued development under Windows.

I can build the code using the default signing key and OTA DFU works as i should.  Now I would like to sign with my own key instead. I have read numrous posts on this forum and even though the answer is probably in there I cannot single it out. In any case; from the following post...

 RE: Problem with signing images for OTA DFU . 

... I pull the following reply:

"You do not need to sign the binaries "manually", as this is handled automatically for you by the partition manager when building with CONFIG_BOOTLOADER_MCUBOOT. The only thing you need to do is to set CONFIG_BOOT_SIGNATURE_KEY_FILE in the configuration for mcuboot as explained here, or by adding a separate config file as explained here."

So I add CONFIG_BOOT_SIGNATURE_KEY_FILE="d:/mykey.pem" and do a "clean build".  Problem is that the build succeeds regardless if mykey.pem is present or not, i.e. if the USB stick is inserted or not. 

So, a couple of "debug" questions...

- Why doesn't the build system report an error if I refer to a key file which is not there ?

- Which is the default key file and where is it stored ? (I.e. if I delete it will the build system protest then ?)

- Is there a way to determine which key file was used to sign a particular app binary ? (Since the signed binary, i.e. app_update.bin, seems to change for every build I cannot determine if "my key" or the "default key" was used to sign it.)

...leding to the final question:

- What am I missing her ?

Cheers

Eric

Parents Reply
  • Hi,

    Since the previous (Linux) developer used some comand line script to do the signing as a stand-alone operation I suspect that the project is not properly set-up for "multi image". I.e. as I understand it there should be a child_image folder next to the src folder. In other words; no I have not added CONFIG_BOOT_SIGNATURE_KEY_FILE  in the configuration file for the mcuboot child image, only in the regular prj.conf file. I guess this explains why mykey.pem is totally ignored in the build process. But, given that I would like to do the signing as a separate operation outside the normal build process; how would I do it in the "Windows nRF SDK" environment ?

    \Eric

Children
Related