Signing Binaries¶
This page documents the west sign extension
command included in the zephyr repository. It is used to sign a Zephyr
application binary for consumption by a bootloader using an external tool.
Currently, it supports signing binaries for use with the MCUboot bootloader,
using the imgtool program provided by its developers. Using west sign as
a wrapper around imgtool for Zephyr binaries is more convenient than using
imgtool directly, because west sign knows how to read numeric values
needed by imgtool out of an application build directory. These values
differ depending on your board, so using west sign means
both shorter command lines and not having to learn or memorize
hardware-specific details.
To produce signed .bin and .hex files for a Zephyr application, make
sure imgtool is installed (e.g. with pip3 install imgtool on macOS and
Windows, and pip3 install --user imgtool on Linux), then run:
west sign -t imgtool -d YOUR_BUILD_DIR -- --key YOUR_SIGNING_KEY.pem
Above, YOUR_BUILD_DIR is a Zephyr build directory containing an
application compiled for MCUboot (in practice, this means
CONFIG_BOOTLOADER_MCUBOOT is y in the application’s Kconfig).
Some additional notes follow. See west sign -h for detailed help.
The default
-dvalue isbuild, which is the default output directory created by west build.If you don’t have your own signing key and have a default MCUboot build, use
--key path/to/mcuboot/root-rsa-2048.pem.By default, the output files produced by
west signare namedzephyr.signed.binandzephyr.signed.hex. You can control this using the-Band-Hoptions, e.g.:west sign -t imgtool -B my-signed.bin -H my-signed.hex [...]
Example build flow¶
For reference, here is an example showing how to build Hello World for
MCUboot using west:
west build -b YOUR_BOARD samples/hello_world -- -DCONFIG_BOOTLOADER_MCUBOOT=y
west sign -t imgtool -- --key YOUR_SIGNING_KEY.pem
west flash --hex-file zephyr.signed.hex
Availability of a hex file depends on your build configuration.