Adrian,
Can you review this patch please ?
You were nominated in the patch review meeting.
Thanks,
../Randy
On 2026-05-15 05:42, Jamin Lin via lists.openembedded.org wrote:
The key file validation in run_mkimage_sign() unconditionally required
.key and .crt regardless of the signing algorithm. This prevented ECDSA
signing which uses a single .pem file.
Extract the check into _check_sign_key_files() and detect the algorithm
from the algo string (e.g. "sha256,ecdsa384") by scanning all
comma-separated parts so field order does not matter:
- ECDSA: requires <keyname>.pem
- RSA : requires <keyname>.key and <keyname>.crt
Signed-off-by: Jamin Lin<[email protected]>
---
meta/lib/oe/fitimage.py | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/meta/lib/oe/fitimage.py b/meta/lib/oe/fitimage.py
index 881d0eae0a..e6ff66ca43 100644
--- a/meta/lib/oe/fitimage.py
+++ b/meta/lib/oe/fitimage.py
@@ -574,6 +574,18 @@ class ItsNodeRootKernel(ItsNode):
except subprocess.CalledProcessError as e:
bb.fatal(f"Command '{' '.join(cmd)}' failed with return code
{e.returncode}\nstdout: {e.stdout.decode()}\nstderr: {e.stderr.decode()}\nitsflile:
{os.path.abspath(itsfile)}")
+ def _check_sign_key_files(self, key_path, algo):
+ """Check signing key files: ECDSA needs .pem, RSA needs .key + .crt."""
+ algo_parts = [p.strip().lower() for p in algo.split(',')]
+ is_ecdsa = any(p.startswith('ecdsa') for p in algo_parts)
+
+ if is_ecdsa:
+ if not os.path.exists(key_path + '.pem'):
+ bb.fatal("ECDSA signing requires '%s.pem'" % key_path)
+ else:
+ if not os.path.exists(key_path + '.key') or not
os.path.exists(key_path + '.crt'):
+ bb.fatal("%s.key or .crt does not exist" % key_path)
+
def run_mkimage_sign(self, fitfile):
if not self._sign_enable:
bb.debug(1, "FIT image signing is disabled. Skipping signing.") @@ -581,12 +593,10 @@ class ItsNodeRootKernel(ItsNode): # Some
sanity checks because mkimage exits with 0 also without needed keys
sign_key_path = os.path.join(self._sign_keydir,
self._sign_keyname_conf) - if not os.path.exists(sign_key_path +
'.key') or not os.path.exists(sign_key_path + '.crt'): - bb.fatal("%s.key or .crt does not exist" % sign_key_path)
+ self._check_sign_key_files(sign_key_path, self._sign_algo)
if self._sign_individual:
sign_key_img_path = os.path.join(self._sign_keydir,
self._sign_keyname_img)
- if not os.path.exists(sign_key_img_path + '.key') or not
os.path.exists(sign_key_img_path + '.crt'):
- bb.fatal("%s.key or .crt does not exist" % sign_key_img_path)
+ self._check_sign_key_files(sign_key_img_path, self._sign_algo)
cmd = [
self._mkimage_sign,
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237252):
https://lists.openembedded.org/g/openembedded-core/message/237252
Mute This Topic: https://lists.openembedded.org/mt/119327152/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
