Skip to content

Throw a warning when using the example signing/encryption keys #2352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 22, 2025
+36 −0
Merged

Throw a warning when using the example signing/encryption keys #2352

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e2d5268
Throw a warning when using the example signing/encryption keys
will-v-pi Mar 14, 2025
febb892
Handle allowing example keys in pico-examples instead
will-v-pi Mar 18, 2025
6eb753e
change variable description
kilograham Mar 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions tools/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,28 @@ function(picotool_check_configurable TARGET)
endif()
endfunction()

# Compare 2 key files, used by picotool_check_default_keys
function(picotool_compare_keys TARGET KEY DEFAULT TYPE)
if (KEY)
execute_process(COMMAND ${CMAKE_COMMAND} -E compare_files "${KEY}" "${PICO_SDK_PATH}/tools/example_keys/${DEFAULT}"
RESULT_VARIABLE compare_result
)
if(compare_result EQUAL 0)
message(WARNING "${TARGET} is using a default ${TYPE} key - this must be changed before production")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would there be any value in also having a PICO_FORBID_EXAMPLE_KEYS setting, which changes this WARNING to an ERROR ? 🤷

endif()
endif()
endfunction()

# Check if default signing/encryption keys are being used
function(picotool_check_default_keys TARGET)
get_target_property(picotool_sigfile ${TARGET} PICOTOOL_SIGFILE)
picotool_compare_keys(${TARGET} ${picotool_sigfile} private.pem "signing")
get_target_property(picotool_aesfile ${TARGET} PICOTOOL_AESFILE)
picotool_compare_keys(${TARGET} ${picotool_aesfile} privateaes.bin "encryption")
get_target_property(picotool_enc_sigfile ${TARGET} PICOTOOL_ENC_SIGFILE)
picotool_compare_keys(${TARGET} ${picotool_enc_sigfile} private.pem "encrypted signing")
endfunction()

# Generate pio header and include it in the build
# PICO_CMAKE_CONFIG: PICO_DEFAULT_PIOASM_OUTPUT_FORMAT, Default output format used by pioasm when using pico_generate_pio_header, type=string, default=c-sdk, group=build
function(pico_generate_pio_header TARGET)
Expand Down Expand Up @@ -449,6 +471,12 @@ function(picotool_postprocess_binary TARGET)
set_target_properties(${TARGET} PROPERTIES
PICOTOOL_PROCESSING_CONFIGURED true
)

# PICO_CMAKE_CONFIG: PICO_ALLOW_EXAMPLE_KEYS, Don't raise a warning when using default signing/encryption keys, type=bool, default=0, group=build
if (NOT PICO_ALLOW_EXAMPLE_KEYS)
picotool_check_default_keys(${TARGET})
endif()

# Read target properties
get_target_property(picotool_sign_output ${TARGET} PICOTOOL_SIGN_OUTPUT)
if (picotool_sign_output)
Expand Down
8 changes: 8 additions & 0 deletions tools/example_keys/private.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BgUrgQQACg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIAXAdiilH8wT07TESUzWPt+BY9+NcchvYU3xbnpK+CBNoAcGBSuBBAAK
oUQDQgAEYYJtMQFGW4AB94tU3u/Qir5sRcYjBYMqCa+8gxsYd9OwMS3dqWKsnVBz
dyy7bFWdJzXDMb9o20xRRd57Q9xSYw==
-----END EC PRIVATE KEY-----
Binary file added tools/example_keys/privateaes.bin
View file
Open in desktop
Binary file not shown.