Question: What is the process for generating the signature in a signed build? (IDFGH-10903)

[Asa-McVay-Rheem]

Answers checklist.

• [X] I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• [X] I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• [X] I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

How is the signature created for a signed build? My particular system does not have secure boot enabled, but we want to sign the images. My understanding right now is as follows:

• User creates a private key.
• At build time the public key is generated from the private key and stored in the signature block of the bootloader and the app image.
• The signature is created somehow and (I'm assuming this) added to the signature block with the public key.
• When an OTA upgrade is performed, the public key is used to verify (decrypt?) the signature.
• At boot time the app image signature is checked, and boot does not continue if not valid.

What I would guess is the signature is created from encrypting the hash, but I haven't seen any confirmation of this in the documentation, and when I reached out to support they pointed me here.

[mahavirj]

@Asa-McVay-Rheem

External signing of the images is documented here.

Mainly the signing part is handled by the espsecure.py utility and you can refer to its code for more details here.

Your understanding is mostly correct with one addition that hash (SHA256) of the public key is also stored in EFuse block. This hash is used to first verify the public key in the signature block appended to the image and then only the public key is trusted to verify the signature.

Hope this helps!

[Asa-McVay-Rheem]

That answers my question. Thank you!