It would be nice to use picotool for signing firmware images without exposing the private key. I imagine the following flow:
$ picotool seal -hash firmware.uf2 firmware.hashed.uf2
$ export HASH=`picotool info -h firmware.hashed.uf2` # add a -h flag to dump the hash, otherwise `picotool -m firmware.hashed.uf2|grep ...`
$ export SIGNATURE=... # Externally sign $HASH.
$ picotool seal -sign -signature "$SIGNATURE" -pubkey $PUBKEY firmware.hashed.uf2 firmware.signed.uf2
In other words, add support for an externally supplied public key and signature to picotool seal -sign, to convert a previously hashed image to a signed image by replacing its HASH_VALUE item with a SIGNATURE item. Optionally, add a picotool info -h for convenient dumping of a firmware image hash.
This is a generalization of #198 .
It would be nice to use
picotoolfor signing firmware images without exposing the private key. I imagine the following flow:In other words, add support for an externally supplied public key and signature to
picotool seal -sign, to convert a previously hashed image to a signed image by replacing its HASH_VALUE item with a SIGNATURE item. Optionally, add apicotool info -hfor convenient dumping of a firmware image hash.This is a generalization of #198 .