fix(espsecure): Allow signing multiple files in one go

2025-10-19 02:43:00 +08:00 · 2025-08-13 16:58:25 +02:00
parent 66a137738e
commit 0177d611ac
2 changed files with 32 additions and 0 deletions
--- a/espsecure/init.py
+++ b/espsecure/init.py
@@ -21,6 +21,7 @@ from cryptography.hazmat.primitives.asymmetric import ec, padding, rsa, utils
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.utils import int_to_bytes

+from esptool.cli_util import OptionEatAll
 from esptool.logger import log

 import esptool
@@ -1645,6 +1646,8 @@ def generate_signing_key_cli(version, scheme, keyfile):
    "--keyfile",
    "-k",
    type=click.File("rb"),
+    cls=OptionEatAll,
+    required=True,
    multiple=True,
    help="Private key file for signing. Key is in PEM format.",
 )
@@ -1677,6 +1680,7 @@ def generate_signing_key_cli(version, scheme, keyfile):
@click.option(
    "--pub-key",
    type=click.File("rb"),
+    cls=OptionEatAll,
    multiple=True,
    help="Public key files corresponding to the private key used to generate the "
    "pre-calculated signatures. Keys should be in PEM format.",
@@ -1684,6 +1688,7 @@ def generate_signing_key_cli(version, scheme, keyfile):
@click.option(
    "--signature",
    type=click.File("rb"),
+    cls=OptionEatAll,
    multiple=True,
    default=None,
    help="Pre-calculated signatures. Signatures generated using external private keys "
--- a/test/test_espsecure.py
+++ b/test/test_espsecure.py
@@ -197,6 +197,33 @@ class TestSigning(EspSecureTestCase):
            output_file.close()
            os.unlink(output_file.name)

+    def test_sign_v2_multiple_keys_cli(self):
+        keydir = os.path.join(TEST_DIR, "secure_images")
+        with tempfile.NamedTemporaryFile(delete=False) as output_file:
+            self.run_espsecure(
+                "sign-data --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key.pem "
+                f"{keydir}/rsa_secure_boot_signing_key2.pem "
+                f"{keydir}/rsa_secure_boot_signing_key3.pem "
+                f"--output {output_file.name} "
+                f"{keydir}/bootloader_unsigned_v2.bin"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key.pem "
+                f"{output_file.name}"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key2.pem "
+                f"{output_file.name}"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key3.pem "
+                f"{output_file.name}"
+            )
+
    def test_sign_v2_multiple_keys(self):
        # 3 keys + Verify with 3rd key
        try: