Add new verify command
imgtool verify -k <some-key.(pub|sec)> <img-file>
Allow imgtool to validate that an image has a valid sha256sum and that
it was signed by the supplied key.
NOTE: this does not yet support verifying encrypted images
Signed-off-by: Fabio Utzig <utzig@apache.org>
diff --git a/scripts/imgtool/main.py b/scripts/imgtool/main.py
index cb204b0..476884c 100755
--- a/scripts/imgtool/main.py
+++ b/scripts/imgtool/main.py
@@ -19,6 +19,7 @@
import click
import getpass
import imgtool.keys as keys
+import sys
from imgtool import image
from imgtool.version import decode_version
@@ -98,6 +99,26 @@
raise ValueError("BUG: should never get here!")
+@click.argument('imgfile')
+@click.option('-k', '--key', metavar='filename')
+@click.command(help="Check that signed image can be verified by given key")
+def verify(key, imgfile):
+ key = load_key(key) if key else None
+ ret = image.Image.verify(imgfile, key)
+ if ret == image.VerifyResult.OK:
+ print("Image was correctly validated")
+ return
+ elif ret == image.VerifyResult.INVALID_MAGIC:
+ print("Invalid image magic; is this an MCUboot image?")
+ elif ret == image.VerifyResult.INVALID_MAGIC:
+ print("Invalid TLV info magic; is this an MCUboot image?")
+ elif ret == image.VerifyResult.INVALID_HASH:
+ print("Image has an invalid sha256 digest")
+ elif ret == image.VerifyResult.INVALID_SIGNATURE:
+ print("No signature found for the given key")
+ sys.exit(1)
+
+
def validate_version(ctx, param, value):
try:
decode_version(value)
@@ -226,6 +247,7 @@
imgtool.add_command(keygen)
imgtool.add_command(getpub)
+imgtool.add_command(verify)
imgtool.add_command(sign)