To sign an image, you must first generate a Public Key Infrastructure (PKI).

Digi Embedded Yocto automatically generates one if not provided. This topic explains how to manually generate a PKI tree for the ConnectCore MP13.

Generate a Public Key Infrastructure (PKI) tree

  1. Install an SDK to have access to the signing tools. See Install a pre-compiled toolchain for instructions.

  2. Create a folder to hold the keys and export variable CONFIG_SIGN_KEYS_PATH with its path, for instance:

    $ export CONFIG_SIGN_KEYS_PATH="/home/username/my-pki"
$ cd ${CONFIG_SIGN_KEYS_PATH}

  3. Generate the PKI tree with:

    $ trustfence-sign-artifact.sh -p ccmp13

    This generates a subdirectory keys/ with:

    • fit/fitcfg.crt: public key for FIT configuration nodes

    • fit/fitcfg.key: private key for FIT configuration nodes

    • fit/fitimg.crt: public key for FIT image nodes

    • fit/fitimg.key: private key for FIT image nodes

    • keys/key_pass.txt: the eight randomly generated passwords in plain text

    • keys/privateKey00..07.pem: the eight private keys

    • keys/publicKey00..07.pem: the eight public keys

    • keys/publicKeyHash00..07.bin: hashes of the eight ECC public keys

    • keys/publicKeysHashHashes.bin: hash of the eight ECC public keys hashes table

  4. Add this line to your conf/local.conf file to use the generated keys:

    TRUSTFENCE_SIGN_KEYS_PATH = "/home/username/my-pki"