SHA verification fails on signed images

Simon Glass sjg at
Wed May 3 03:27:57 CEST 2023

Hi Andy,

On Tue, 2 May 2023 at 11:13, Andy Pandy <andypandy123g at> wrote:
> Hi there,
> I have a FIT image that boots fine, but when I sign it, with the following
> command, it fails to boot:
> mkimage -k keys -r -o sha256,rsa2048 -F
> It fails while checking sha256, Bad hash value for 'hash' hash node in ...
> I get similar error when I test it on my host:
> tools/fit_check_sign -f -k u-boot-spl.dtb
> After debugging, I found that after signing the image, data gets imbedded
> into images structure with data = <...> field, but data-offset, data-size
> fields (used for external reference) are not removed, and that's why when
> verifying the signatures fit_image_get_data_and_size() function gets
> confused when finds data-offset settings and calculates sha256 on the wrong
> data.
> I checked my other projects, with older version of uboot, and I can confirm
> that there after signing a FIT image data-offset, data-size fields got
> removed and data field appeared with data.
> I am experiencing the issue with the recent head of the mater branch of
> u-boot.
> Did I miss something or is it a bug?

It is sort-of a bug, or at least a missing feature. It is not possible
to update an external FIT back to an 'internal' one. You could try
using the -E flag. If that works, then we should update the docs
(please send patch). If not perhaps the best fix for now is to
generate an error.

The problem is that updating the metadata for an image that has
already been signed is difficult, since you need to keep the original
property ordering, etc.

Typical usage is to only specify -E once all the signing is done.


More information about the U-Boot mailing list