In order to improve the security, only signed images can be uploaded.
There is a public and private key. The Bootloader is compiled with the public key. Each time you want to upload firmware, you have to sign it with a private key.
NOTE: it is important to keep the private key hidden
Generating a keypair with imgtool is a matter of running the keygen subcommand:
$ ./scripts/imgtool.py keygen -k mykey.pem -t rsa-2048
The generated keypair above contains both the public and the private key. It is necessary to extract the public key and insert it into the bootloader.
$ ./scripts/imgtool.py getpub -k mykey.pem
This will output the public key as a C array that can be dropped directly into the keys.c file.
sign the compiled zephyr.bin firmware with the root-rsa-2048.pem, private key:
imgtool.py sign --key ../../root-rsa-2048.pem \
--header-size 0x200 \
--align 8 \
--version 1.2 \
--slot-size 0x60000 \
../mcuboot/samples/zephyr/build/ds_d6/hello1/zephyr/zephyr.bin \
signed-hello1.bin