https://github.com/sysgrok/espsign

https://github.com/sysgrok/espsign

Last synced: 6 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/sysgrok/espsign
• Owner: sysgrok
• License: apache-2.0
• Created: 2024-12-05T09:00:34.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2025-02-23T06:43:28.000Z (over 1 year ago)
• Last Synced: 2025-07-31T19:39:46.245Z (11 months ago)
• Language: Rust
• Size: 48.8 KB
• Stars: 4
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE-APACHE

Awesome Lists containing this project

README

          
# espsign

A utility for signing ESP32 firmware images for ESP RSA Secure Boot V2

[![CI](https://github.com/ivmarkov/espsign/actions/workflows/ci.yml/badge.svg)](https://github.com/ivmarkov/espsign/actions/workflows/ci.yml)

[![crates.io](https://img.shields.io/crates/v/espsign.svg)](https://crates.io/crates/espsign)

[![Matrix](https://img.shields.io/matrix/esp-rs:matrix.org?label=join%20matrix&color=BEC5C9&logo=matrix)](https://matrix.to/#/#esp-rs:matrix.org)

## Highlights

* Pure-Rust

* `no_std` (but needs `alloc`) **library interface** for:

  * Signing

  * Verifying

  * Generating key SHA-256 E-FUSE signature

* Command line interface

## Examples

### Command line

Install the command line utility

```sh

cargo install --force --git https://github.com/ivmarkov/espsign

```

Generate a new PEM signing key in file `foo`:

```sh

espsign gen-key foo

```

Generate a new password-protected with `pass` PEM signing key in file `foo`, and with E-FUSE SHA-256 hash in file `hash`:

```sh

espsign gen-key -p pass -s hash foo

```

Sign an app image `firmware` using a pre-generated PEM signing key from file `foo`

```sh

espsign sign -k foo firmware-padded firmware-signed

```

> NOTE: App image should first be padded to 64K alignment with e.g. [esptools](https://github.com/ivmarkov/esptools):

```sh

esptools tool --chip esp32s3 elf2image --version 2 --secure-pad-v2 --output firmware-padded firmware

```

Verify a signed app image `firmware-signed`

```sh

espsign verify firmware-signed

```

### Library

Verify an image. [Other examples](examples).

```rust

use std::fs::File;

use std::path::PathBuf;

use log::info;

use espsign::{AsyncIo, ImageType, SBV2RsaSignatureBlock};

/// Verify that `image` is properly signed

fn main() {

    let image = PathBuf::from("/home/foo/factory-app-signed");

    let mut buf = [0; 65536];

    info!("Verifying image `{}`...", image.display());

    embassy_futures::block_on(SBV2RsaSignatureBlock::load_and_verify(

        &mut buf,

        AsyncIo::new(File::open(image).unwrap()),

        ImageType::App,

    ))

    .unwrap();

    info!("Image verified successfully");

}

```