I misunderstood the documentation and put the signing key in a keys/ directory while setting key-name-hint property in the signature node and u-boot-spl-pubkey-dtb to a path.
mkimage doesn't fail if it cannot find the public key when signing a FIT but returns something on stderr to notify the user it couldn't find the key. The issue is that bintool currently discards stderr if the command successfully returns, so the FIT is not signed AND the user isn't made aware of it unless the image is manually inspected. mkimage does fail when trying to insert a public key in a DTB if it isn't found but we can have a better error message. Signed-off-by: Quentin Schulz <quentin.sch...@cherry.de> --- Changes in v2: - added tests, - fixed typo in docstring, - synced both error messages, - Link to v1: https://lore.kernel.org/r/20250414-binman-pubkey-dir-v1-0-0784d54ac...@cherry.de --- Quentin Schulz (2): binman: etype: fit: raise ValueError if key-name-hint is a path binman: etype: u_boot_spl_pubkey_dtb: provide more explicit error for key-name-hint with path tools/binman/etype/fit.py | 3 + tools/binman/etype/u_boot_spl_pubkey_dtb.py | 2 + tools/binman/ftest.py | 25 ++++++ .../test/347_key_name_hint_dir_fit_signature.dts | 98 ++++++++++++++++++++++ .../test/348_key_name_hint_dir_spl_pubkey_dtb.dts | 16 ++++ 5 files changed, 144 insertions(+) --- base-commit: cb7555e93075114fe4af0adb806877ac4d4ef80d change-id: 20250411-binman-pubkey-dir-48b886b17599 Best regards, -- Quentin Schulz <quentin.sch...@cherry.de>
