Skip to content

General

The client side tooling relies on the signing-tool.py-script which gathers different use cases into subcommands. There's also config-init.py should you choose to use an ini file for settings instead of direct command line parameters.

You can see the help for the tool with:

(venv) $ ./signing-tool.py -h
usage: signing-tool.py [-h] (-n N | -c) [-t <TOKEN>] [--skipssl] [-a <ADDRESS>] {imagesigning,group,product,production,escrow,fusemap,secrets,profile,encrypt,client,ca} ...

Example Signing API Tool

positional arguments:
  {imagesigning,group,product,production,escrow,fusemap,secrets,profile,encrypt,client,ca}
                        Top level commands
    imagesigning        Imagesigning functionality
    group               Config group management functionality
    product             Product management functionality
    production          Production functionality E.g., Device certificates
    escrow              Escrow management functionality
    fusemap             Fusemap management functionality
    secrets             Secret management functionality
    profile             PKI Profile functionality
    client              Client functionality
    ca                  CA functionality

options:
  -h, --help            show this help message and exit
  -n N                  Config file path
  -c                    Config from command line options
  -t <TOKEN>            OAUTH2 token for the API authentication
  --skipssl             Skip TLS verification
  -a <ADDRESS>          API address (eg. https://localhost:1234/api/v1)

This will also list all the subcommands provided by the tool.

You can see the help for any subcommand with ./signing-tool.py -h For example:

(venv) $ ./signing-tool.py product -h
usage: signing-tool.py product [-h] {add,approve,get,getapproval,getall} ...

positional arguments:
  {add,approve,get,getapproval,getall}
                        Product subcommands
    add                 Add new product request. If no template given then a product for digest signing is created
    approve             Approve product
    get                 Get product
    getapproval         Get products requiring approval
    getall              Get all products

options:
  -h, --help            show this help message and exit

You can see the help for any 2nd level subcommand with ./signing-tool.py -h For example:

./signing-tool.py product add -h
usage: signing-tool.py product add [-h] [-T T]

options:
  -h, --help  show this help message and exit
  -T T        Product template file to use

Option 1: Create an ini file and use it as a parameter

Create init file. Token is valid only a certain period of time. skipSSL is only used in local development.

Example:

(venv) $ ./config-init.py -n test.ini -t $TOKEN -s -a https://app.laavat.io/<CustomerName>/api/v1

Example creates an test.ini file:

[service]
url = https://app.laavat.io/<CustomerName>/api/v1
token = <redacted>
skipssl = True

After you have the ini file in place, you can use the signing-tool.py script.

(venv) $ ./signing-tool.py -n test.ini product getall

Option 2: Use command line parameters to provide required information

Example:

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 product getall

Signing

HAB IMG signing.

With ini file:

(venv) $ ./signing-tool.py -n test.ini imagesigning add SignHABIMG -P 6c800aa5-d4b0-4e70-95cc-f29d126bc061 --operid e444a17e-283d-459a-bc83-61beca04d687 -p MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMQ==

With command line parameters (token is in the $TOKEN environment variable):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignHABIMG -P 6c800aa5-d4b0-4e70-95cc-f29d126bc061 --operid e444a17e-283d-459a-bc83-61beca04d687 -p MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMQ==

HAB CSF signing.

With ini file:

(venv) $ ./signing-tool.py -n test.ini imagesigning add SignHABCSF -P 6c800aa5-d4b0-4e70-95cc-f29d126bc061 --operid 932aa5fd-c72b-4ffc-9502-4b837f591a2b -p MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMQ==

With command line parameters (token is in the $TOKEN environment variable):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignHABCSF -P 6c800aa5-d4b0-4e70-95cc-f29d126bc061 --operid 932aa5fd-c72b-4ffc-9502-4b837f591a2b -p MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMQ==

OCI signing

OCI signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignOCI \
    -P e1ec8ea5-b569-4da7-8a70-6eb910dad8ac --operid b4f4c9e4-cbd2-4073-820c-9d553a957e54 -A NjU2NjY2NTk4MzE3LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vdGVzdEBzaGEyNTY6M2ZiYzYzMjE2NzQyNGE2ZDk5N2U3NGY1MmI4NzhkN2NjNDc4MjI1Y2ZmYWM2YmM5NzdlZWRmZTUxYzdmNGU3OQo

# Approve the request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning approve \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning get \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

RAUC signing

RAUC signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add RaucBundleSigning \
    -N test -D test2 -P adcb30d8-f009-438e-b1b2-96f507b306cb --operid 4add90e9-ffb3-4708-9554-ed2e82e8fd71 -F rauc-verity.tar.gz

# Approve the rauc signing request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning approve \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the signed payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning get \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c -O /tmp/signed.rauc.bundle

CST signing

NXP i.MX6 packages can be also signed with the CST tool based operation. CST signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignHAB \
    -N test -D test2 -P adcb30d8-f009-438e-b1b2-96f507b306cb --operid 4add90e9-ffb3-4708-9554-ed2e82e8fd71 -F SPL-hab

# Approve the cst signing request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning approve \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the signed payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning get \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c -O /tmp/signed.bin

FIT signing

FIT signing examples ($TOKEN contains the "regular" user token and $APPROVERTOKEN contains a token for a user that's in the approvers group):

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 \
    imagesigning add SignUBoot -N test -D test2 \
    -P adcb30d8-f009-438e-b1b2-96f507b306cb \
    --operid 4add90e9-ffb3-4708-9554-ed2e82e8fd71 -F linux-uImage.bin

# Approve the signing request
(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning approve \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

# Get the signed payload
(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning get \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c -O /tmp/signed.bin