Generating and using secure DFU keys under Linux

You have removed the debug public key and replaced it with a public key that corresponds to your private key in dfu_public_key.c right?

Have you generated a bootloader settings hex file? If not then I think you have to set the application-version to 0xFF, i.e.

nrfutil pkg generate <name of zip pkg >.zip --application <name of application hex>.hex --application-version 0xFF  --hw-version 52 --sd-req 0x8C --key-file <name of key file>.pem

Yes and no to replacing the data in the pk array.

I'm not linking with dfu_public_key.c instead I'm linking with the generated public key code file generated by nrfutil.

I have verified that the data in the the "pk" array is the same bytes as in the generated .c file by calling:

NRF_LOG_HEXDUMP_INFO(crypto_key_pk.p_le_data, crypto_key_pk.len);

Earlier in dfu_req_handling.c crypto_key_pk is defined as

static const nrf_crypto_key_t crypto_key_pk =
{
    .p_le_data = (uint8_t *) pk,
    .len = sizeof(pk)
};

Have you tried setting the --application-version to 0xFF?

With regard to the app version I have yet to initialize the bootloader settings by flashing its hex.

The check for this is done earlier in dfu_req_handling.c and --applocation-version 0 did not cause any problems if I commented out the failure on the crypto verification.

I have however tried setting the version to 0xFF for completeness.

The DFU update still fails for the crypto verification.

Btw. the NRF_LOG_INFO data also seems to indicated that at least in my case app version 0 would also have been accepted:

 :INFO:Req version: 255, Present: 0

Minor update:

I originally used a nrfutil version that was compiled from the git sources.

I have now also tried to 'pip install nrfutil' and use this version to generate a new set of public and private keys as well as a new application package.

The DFU still fails during 'nrf_crypto_verify' using the pip installed nfrutil