The key file validation in run_mkimage_sign() unconditionally required .key and .crt regardless of the signing algorithm. This prevented ECDSA signing which uses a single .pem file.
Extract the check into _check_sign_key_files() and detect the algorithm from the algo string (e.g. "sha256,ecdsa384") by scanning all comma-separated parts so field order does not matter: - ECDSA: requires <keyname>.pem - RSA : requires <keyname>.key and <keyname>.crt Signed-off-by: Jamin Lin <[email protected]> --- meta/lib/oe/fitimage.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/meta/lib/oe/fitimage.py b/meta/lib/oe/fitimage.py index 881d0eae0a..e6ff66ca43 100644 --- a/meta/lib/oe/fitimage.py +++ b/meta/lib/oe/fitimage.py @@ -574,6 +574,18 @@ class ItsNodeRootKernel(ItsNode): except subprocess.CalledProcessError as e: bb.fatal(f"Command '{' '.join(cmd)}' failed with return code {e.returncode}\nstdout: {e.stdout.decode()}\nstderr: {e.stderr.decode()}\nitsflile: {os.path.abspath(itsfile)}") + def _check_sign_key_files(self, key_path, algo): + """Check signing key files: ECDSA needs .pem, RSA needs .key + .crt.""" + algo_parts = [p.strip().lower() for p in algo.split(',')] + is_ecdsa = any(p.startswith('ecdsa') for p in algo_parts) + + if is_ecdsa: + if not os.path.exists(key_path + '.pem'): + bb.fatal("ECDSA signing requires '%s.pem'" % key_path) + else: + if not os.path.exists(key_path + '.key') or not os.path.exists(key_path + '.crt'): + bb.fatal("%s.key or .crt does not exist" % key_path) + def run_mkimage_sign(self, fitfile): if not self._sign_enable: bb.debug(1, "FIT image signing is disabled. Skipping signing.") @@ -581,12 +593,10 @@ class ItsNodeRootKernel(ItsNode): # Some sanity checks because mkimage exits with 0 also without needed keys sign_key_path = os.path.join(self._sign_keydir, self._sign_keyname_conf) - if not os.path.exists(sign_key_path + '.key') or not os.path.exists(sign_key_path + '.crt'): - bb.fatal("%s.key or .crt does not exist" % sign_key_path) + self._check_sign_key_files(sign_key_path, self._sign_algo) if self._sign_individual: sign_key_img_path = os.path.join(self._sign_keydir, self._sign_keyname_img) - if not os.path.exists(sign_key_img_path + '.key') or not os.path.exists(sign_key_img_path + '.crt'): - bb.fatal("%s.key or .crt does not exist" % sign_key_img_path) + self._check_sign_key_files(sign_key_img_path, self._sign_algo) cmd = [ self._mkimage_sign, -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#237076): https://lists.openembedded.org/g/openembedded-core/message/237076 Mute This Topic: https://lists.openembedded.org/mt/119327152/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
