Hi Rasmus, On Mon, 24 Jan 2022 at 15:15, Rasmus Villemoes <rasmus.villem...@prevas.dk> wrote: > > On 24/01/2022 18.57, Simon Glass wrote: > > >> And the thing about "adding the signature" - yes, indeed, _signing_ can > >> and should be done after building. But that is not at all what this > >> started with, this is about embedding the metadata that U-Boot (or SPL) > >> will need for _verifying_ during the build itself - when the private key > >> may not even be available. Again, I think that it's a fundamental design > >> bug that generating and adding that metadata in the form needed by > >> U-Boot can only be done as a side effect of signing some unrelated image. > > > > It is a side effect of signing *the same* image, i.e. the image that > > holds the signature and the public key. There is only one image, the > > firmware image produced by binman. > > Huh? Are we talking about the same thing? What you write makes no sense > at all.
Perhaps it is a terminology thing. For me: image: the final firmware image with everything in it binary: a component of the image So there is only one image. Regards, Simon