This page documents the
west sign extension
command included in the zephyr repository. It is used to sign a Zephyr
application binary for consumption by a bootloader using an external tool.
Currently, it supports signing binaries for use with the MCUboot bootloader,
using the imgtool program provided by its developers. Using
west sign as
a wrapper around
imgtool for Zephyr binaries is more convenient than using
imgtool directly, because
west sign knows how to read numeric values
imgtool out of an application build directory. These values
differ depending on your board, so using
west sign means
both shorter command lines and not having to learn or memorize
To produce signed
.hex files for a Zephyr application, make
imgtool is installed (e.g. with
pip3 install imgtool on macOS and
pip3 install --user imgtool on Linux), then run:
west sign -t imgtool -d YOUR_BUILD_DIR -- --key YOUR_SIGNING_KEY.pem
YOUR_BUILD_DIR is a Zephyr build directory containing an
application compiled for MCUboot (in practice, this means
y in the application’s Kconfig).
Some additional notes follow. See
west sign -h for detailed help.
build, which is the default output directory created by west build.
If you don’t have your own signing key and have a default MCUboot build, use
By default, the output files produced by
west signare named
zephyr.signed.hex. You can control this using the
west sign -t imgtool -B my-signed.bin -H my-signed.hex [...]
Example build flow¶
For reference, here is an example showing how to build Hello World for
west build -b YOUR_BOARD samples/hello_world -- -DCONFIG_BOOTLOADER_MCUBOOT=y west sign -t imgtool -- --key YOUR_SIGNING_KEY.pem west flash --hex-file zephyr.signed.hex
Availability of a hex file depends on your build configuration.