Signed binaries, no secure boot, no flash encryption

[luckwaski]

I've been trying to compile a signed binaries for OTA without secure boot and without flash encryption:

# Security features # CONFIG_SECURE_SIGNED_ON_UPDATE=y CONFIG_SECURE_SIGNED_APPS=y CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y # CONFIG_SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT is not set CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y # CONFIG_SECURE_BOOT is not set CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem" # CONFIG_SECURE_FLASH_ENC_ENABLED is not set # end of Security features

I've generated the signing key + signature_verification_key.bin out of it. The compile process builds the signature_verification_key.bin.S file correctly in .pio/build/esp-pico/signature_verification_key.bin.S

But at some point of compilation looks like the compiler is looking for the file in wrong directory:

Compiling .pio\build\esp-pico\bootloader\bootloader_support\src\esp32\bootloader_esp32.o

*** [.pio\build\esp-pico\bootloader\signature_verification_key.bin.o] Source .pio\build\esp-pico\bootloader\signature_verification_key.bin.S' not found, needed by target .pio\build\esp-pico\bootloader\signature_verification_key.bin.o'.

If I put it there really fast before the compiler crashes the compilation finishes correctly. Moreover the binary does the signature verification correctly during OTA but its not signed itself - I gotta sign it manually with espsecure.py. Any idea what am I missing?