mcuboot icon indicating copy to clipboard operation
mcuboot copied to clipboard
verified publisher icon mcu-tools

imgtool: option to read key passphrase from environment

Open crazyscot opened this issue 2 years ago • 5 comments

In a CI chain it is sometimes useful to automatically sign an image (e.g. once qualification tests have passed). Naturally, it is important to protect the private key in such cases.

This patch provides that capability.

The private key should be stored in a passphrase-protected PEM file in the usual way. The CI provider should be configured, through its secrets mechanism, to inject the passphrase as an environment variable of your choice. A new imgtool option is then used to specify that variable name, e.g.: imgtool --password-env=DEV_KEY_PASSPHRASE sign infile.hex outfile.hex

This option also works for the other verbs that load keys (getpub, getpriv, imgfile).

Note that argument ordering is critical. --password-env must appear before the verb!

crazyscot avatar Feb 23 '23 07:02 crazyscot

@crazyscot The commit needs to be signed.

utzig avatar Feb 23 '23 23:02 utzig

@crazyscot The commit needs to be signed.

Done, thanks.

crazyscot avatar Feb 24 '23 07:02 crazyscot

This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time.

github-actions[bot] avatar Aug 24 '23 01:08 github-actions[bot]

My apologies, it appears that I messed up pushing the GPG signature on this. Commit updated, can we remove the stale label please?

crazyscot avatar Aug 24 '23 10:08 crazyscot

My apologies, it appears that I messed up pushing the GPG signature on this. Commit updated, can we remove the stale label please?

Oh, I think what @utzig meant to say was the the commit needs a sign-off-by footer in the commit text. There is not a requirement to sign commits in this project.

d3zd3z avatar Dec 15 '23 18:12 d3zd3z

This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time.

github-actions[bot] avatar Jun 13 '24 01:06 github-actions[bot]