imgtool: option to read key passphrase from environment #1625
Conversation
|
@crazyscot The commit needs to be signed. |
crazyscot
force-pushed
the
feature/imgtool-read-passphrase-from-env
branch
from
9c2150d
to
82de83e
Compare
Done, thanks. |
|
This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time. |
crazyscot
force-pushed
the
feature/imgtool-read-passphrase-from-env
branch
from
82de83e
to
98929e0
Compare
|
My apologies, it appears that I messed up pushing the GPG signature on this. Commit updated, can we remove the stale label please? |
In a CI chain it is sometimes useful to automatically sign an image (e.g. once qualification tests have passed). Naturally, it is important to protect the private key in such cases. This patch provides that capability. The private key should be stored in a passphrase-protected PEM file in the usual way. The CI provider should be configured, through its secrets mechanism, to inject the passphrase as an environment variable of your choice. A new imgtool option is then used to specify that variable name, e.g.: imgtool --password-env=DEV_KEY_PASSPHRASE sign infile.hex outfile.hex This option also works for the other verbs that load keys (getpub, getpriv, imgfile). Note that argument ordering is critical. --password-env must appear before the verb! Signed-off-by: Ross Younger <crazyscot@gmail.com>
crazyscot
force-pushed
the
feature/imgtool-read-passphrase-from-env
branch
from
98929e0
to
9b85f44
Compare
Oh, I think what @utzig meant to say was the the commit needs a sign-off-by footer in the commit text. There is not a requirement to sign commits in this project. |
|
This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time. |
In a CI chain it is sometimes useful to automatically sign an image (e.g. once qualification tests have passed). Naturally, it is important to protect the private key in such cases.
This patch provides that capability.
The private key should be stored in a passphrase-protected PEM file in the usual way. The CI provider should be configured, through its secrets mechanism, to inject the passphrase as an environment variable of your choice. A new imgtool option is then used to specify that variable name, e.g.:
imgtool --password-env=DEV_KEY_PASSPHRASE sign infile.hex outfile.hex
This option also works for the other verbs that load keys (getpub, getpriv, imgfile).
Note that argument ordering is critical. --password-env must appear before the verb!