Skip to content

imgtool: add support for key password to enable non-interactive key loading with password #2395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

imgtool: add support for key password to enable non-interactive key loading with password #2395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7949e3f
imgtool: add key password support
meremST Jul 18, 2025
2b9aa65
docs: release-notes: Add changes for imgtool key password support
meremST Jul 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/release-notes.d/imgtool-add-key-password-support.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Added support of password in Imgtool load function
13 changes: 8 additions & 5 deletions scripts/imgtool/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,14 +99,16 @@ def save_signature(sigfile, sig):
f.write(signature)


def load_key(keyfile):
def load_key(keyfile, passwd=None):
# TODO: better handling of invalid pass-phrase
key = keys.load(keyfile)
if key is not None:
return key
passwd = getpass.getpass("Enter key passphrase: ").encode('utf-8')
return keys.load(keyfile, passwd)

if passwd is None:
passwd = getpass.getpass("Enter key passphrase: ")

return keys.load(keyfile, passwd.encode('utf-8'))

def get_password():
while True:
Expand Down Expand Up @@ -423,6 +425,7 @@ def convert(self, value, param, ctx):
default='hash', help='In what format to add the public key to '
'the image manifest: full key or hash of the key.')
@click.option('-k', '--key', metavar='filename')
@click.option('--key-pswd', required=False, help='Password for the key file')
@click.option('--fix-sig', metavar='filename',
help='fixed signature for the image. It will be used instead of '
'the signature calculated using the public key')
Expand All @@ -447,7 +450,7 @@ def convert(self, value, param, ctx):
@click.command(help='''Create a signed or unsigned image\n
INFILE and OUTFILE are parsed as Intel HEX if the params have
.hex extension, otherwise binary format is used''')
def sign(key, public_key_format, align, version, pad_sig, header_size,
def sign(key, key_pswd, public_key_format, align, version, pad_sig, header_size,
pad_header, slot_size, pad, confirm, max_sectors, overwrite_only,
endian, encrypt_keylen, encrypt, compression, infile, outfile,
dependencies, load_addr, hex_addr, erased_val, save_enctlv,
Expand All @@ -469,7 +472,7 @@ def sign(key, public_key_format, align, version, pad_sig, header_size,
non_bootable=non_bootable)
compression_tlvs = {}
img.load(infile)
key = load_key(key) if key else None
key = load_key(key, passwd=key_pswd) if key else None
enckey = load_key(encrypt) if encrypt else None
if enckey and key:
if ((isinstance(key, keys.ECDSA256P1) and
Expand Down