Signing Binaries
The west sign
extension command can be used to
sign a Zephyr application binary for consumption by a bootloader using an
external tool. In some configurations, west sign
is also used to invoke
an external, post-processing tool that “stitches” the final components of
the image together. Run west sign -h
for command line help.
rimage
rimage configuration uses an approach that does not rely on Kconfig or CMake but on west config, similar to Permanent CMake Arguments.
Signing involves a number of “wrapper” scripts stacked on top of each other: west
flash
invokes west build
which invokes cmake
and ninja
which invokes
west sign
which invokes imgtool
or rimage. As long as the signing
parameters desired are the default ones and fairly static, these indirections are
not a problem. On the other hand, passing imgtool
or rimage
options through
all these layers can causes issues typical when the layers don’t abstract
anything. First, this usually requires boilerplate code in each layer. Quoting
whitespace or other special characters through all the wrappers can be
difficult. Reproducing a lower west sign
command to debug some build-time issue
can be very time-consuming: it requires at least enabling and searching verbose
build logs to find which exact options were used. Copying these options from the
build logs can be unreliable: it may produce different results because of subtle
environment differences. Last and worst: new signing feature and options are
impossible to use until more boilerplate code has been added in each layer.
To avoid these issues, rimage
parameters can bet set in west config
.
Here’s a workspace/.west/config
example:
[sign]
# Not needed when invoked from CMake
tool = rimage
[rimage]
# Quoting is optional and works like in Unix shells
# Not needed when rimage can be found in the default PATH
path = "/home/me/zworkspace/build-rimage/rimage"
# Not needed when using the default development key
extra-args = -i 4 -k 'keys/key argument with space.pem'
In order to support quoting, values are parsed by Python’s shlex.split()
like in
One-Time CMake Arguments.
The extra-args
are passed directly to the rimage
command. The example
above has the same effect as appending them on command line after --
like this:
west sign --tool rimage -- -i 4 -k 'keys/key argument with space.pem'
. In case
both are used, the command-line arguments go last.