Hi Paul, Adrian
> -----Original Message-----
> From: Paul Barker <[email protected]>
> Sent: Tuesday, May 19, 2026 4:33 PM
> To: [email protected]; Jamin Lin <[email protected]>
> Cc: OE-core <[email protected]>; Troy Lee
> <[email protected]>; Vince Chang <[email protected]>
> Subject: Re: [OE-core] [PATCH v1] kernel-fit-image: Check signing key files
> based on algorithm
>
> On Tue, 2026-05-19 at 07:34 +0000, Adrian Freihofer via
> lists.openembedded.org wrote:
> > Hi Jamin, hi Paul
> >
> > After looking into the code of mkimage, I agree with the patch. It is
> > correct that rsa-sign.c needs key + crt files but ecdsa-libcrypto.c
> > uses a pem file.
> >
> > My conclusion is: The patch can be merged.
>
> Hi Jamin and Adrian,
>
> Thanks both for the extra information. I think the commit message and
> comments should be updated to say that this is due to the formats expected by
> mkimage and fitimage.py, then we should be able to accept this.
>
> Best regards,
>
> --
> Paul Barker
Thanks for the review and suggestion.
Will change the commit log and title as following.
kernel-fit-image: Validate key files expected by mkimage for the selected
algorithm
```
The signing key validation in run_mkimage_sign() unconditionally
required <keyname>.key and <keyname>.crt regardless of the signing
algorithm.
However, mkimage handles RSA and ECDSA keys differently. RSA signing
uses separate .key and .crt files, while ECDSA signing uses a single
.pem file.
As a result, OE/fitimage.py required users of ECDSA signing to provide
unused .key and .crt files only to satisfy the validation checks.
Refactor the validation logic into _check_sign_key_files() and validate
the required files according to the selected signing algorithm:
- ECDSA: requires <keyname>.pem
- RSA: requires <keyname>.key and <keyname>.crt
Detect the algorithm by scanning all comma-separated parts of the algo
string so the field order does not matter (e.g. "sha256,ecdsa384").
```
Fitimage.py
Function comment as below.
+ def _check_sign_key_files(self, key_path, algo):
+ """Check signing key files: ECDSA needs .pem, RSA needs .key +
.crt.""" ---> Change to """Validate key files expected by mkimage for the
selected algorithm."""
+ algo_parts = [p.strip().lower() for p in algo.split(',')]
+ is_ecdsa = any(p.startswith('ecdsa') for p in algo_parts)
+
+ if is_ecdsa:
+ if not os.path.exists(key_path + '.pem'):
+ bb.fatal("ECDSA signing requires '%s.pem'" % key_path)
+ else:
+ if not os.path.exists(key_path + '.key') or not
os.path.exists(key_path + '.crt'):
+ bb.fatal("%s.key or .crt does not exist" % key_path)
+
Thanks,
Jamin
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237293):
https://lists.openembedded.org/g/openembedded-core/message/237293
Mute This Topic: https://lists.openembedded.org/mt/119327152/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
