Thanks. All works fine!

Also, I have the following configuration: grep SIGN configurations/sdkconfig-latch-sim800 CONFIG_SECURE_SIGNED_ON_BOOT=y CONFIG_SECURE_SIGNED_ON_UPDATE=y CONFIG_SECURE_SIGNED_APPS=y CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y # CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y # CONFIG_SECURE_BOOT_SIGNING_KEY="...

Build signed application, decide this application as base application. Then it is needed to have an application signed for particular device using the device's key. Make sign_data process, no errors. At the end of OTA the device can not verify the signature. Build signed application from scratch usi...

Your utility can not resign the application binary!

Ah. I've found a solution. There is a bug in sign_data implementation...

Hmm, I did a hack: Build the application on the notebook with applying signature during build process. Run OTA with breakpoint on obtaining application. Upload the builded and signed (by notebook) application to OTA server. Begin the OTA process And the final was: D (892411) OTA: Written image lengt...

Which tool you use to verify the image on host? espsecure.py could help you to verify the image See here You might need to reproduce the process using the host encryption key+private signing key Decrypting on the host: pipenv run python ../esp32/tmp/idf-extra-components/esp_encrypted_img/tools/esp_...

dmitrij999 wrote: ↑

Wed Feb 22, 2023 7:14 am

If you plan to use SecureBoot v2, you need to tell espsecure.py that you use SecureBoot v2 explicitly

Code: Select all

python espsecure.py verify_signature --version 2 ...

As well, it might help you in case of signing images

I use second version of SecureBoot explicitly.

Hello, - Can you please share the instructions you used to sign and encrypt the firmware binary? - Can you please share the EFuse summary on the device? `espefuse.py --chip esp32 summary` Sure! Signature and its verification (works well on CICD and host): espsecure.py sign_data --version 2 --keyfil...

Which tool you use to verify the image on host? espsecure.py could help you to verify the image See here You might need to reproduce the process using the host encryption key+private signing key As I wrote above I use the standard tool for signature verification: - espsecure.py sign_data ../applica...