Verification failure in U-Boot when signed with Nitrokey


I am building U-Boot signed with an RSA key on a Nitrokey but when I run fit_check_sign it fails verification when it checks the hash. The verification uses the RSA public key combined with the signature to rebuild the original hash value. It checks this hash value against the hash of the bytes in the image. So it’s possible there is something wrong with the signature (even though i know it comes from the correct RSA key on the correct nitrokey).

Is there something about RSA keys or signatures generated on the Nitrokey (or HSMs in general?) that might prevent the hash from being rebuilt from the public key and the signature?

When i build U-Boot from an on-disk local RSA key created in openssl, it passes verification.

Thanks in advance,

It is hard to tell what exactly are you doing. Which signature/verification mechanism are you using for U-Boot? It most probably depends on the platform you are going to run it on.

Maybe you could show actual commands used to sign the image using Nitrokey HSM 2 and we can tell something more.

Thank you for your response - my issue has now been resolved in another thread: Error on nitrokey trying to decrypt original data from public key and signature

1 Like