Skip to content

Packaging an update


To package an update:

  • A manifest.json file has to be prepared, that contains the correct file names and version strings.
  • A public/private key pair has to be created.

The public key is embedded by the Image-Developer into the image and allows verification of the signatures created using the private key.

Key generation

The private and public key files are created using the STM32MP1-Keygen tool:

STM32MP1-Keygen Tool

The <privateKeyPassword> is required to package the update zip file.


The zip-File is created by the packager tool.

Store all files together with the manifest.json file and the packager in one directory.

Adjust the manifest.json file, so that it contains the desired version numbers.

Firmware Signing and Packaging Tool - (C) 2023 idastroem GmbH
Usage of ./packager:
  -fortress-key string
    	private key for use with fortress server
  -manifest string
    	manifest file that contains the update files and rules (default "manifest.json")
  -password string
    	password for private key file
  -privKey string
    	private key (default "privateKey.pem")
  -zipfile string
    	output zip file name, file will be overwritten without further notice.

You must specify a valid zipfile name.

Running the packager

Start the packager by running the following command: packager -password <privateKeyPassword> -zipfile

This creates the zip-file, which contains the ecdsa signatures for the files listed in manifest.json.

If everything succeeds, the following messages are printed out:

Firmware Signing and Packaging Tool - (C) 2023 idastroem GmbH

loading private key file 'privateKey.pem'
decryption successful

loading manifest file 'manifest.json'
+ adding file 'cc'
+ adding file 'm4.bin'

generating signatures.json
+ hashing file 'm4.bin' (726e02df7affc0726b2ccc97261ba2735455786f59f83b116a60bc99694ae8f9)
+ signature is '3045022044746c0219025828f8ca89a34cd4dacb32be315ac5c8dc28dc98202bdc6f3d84022100ebfa10ee57ef88fcc8f4bfcc7138be5e5f1f356f90eb5975a310a9fd715a
+ verifying signature...  'true'
+ hashing file 'cc' (0f24cf1bb9297d9301f43f54fc8b04cdf2daa24ca875bcb0b2e8735d1df952ad)
+ signature is '3045022100d1a9f180e5265ceb657c15d38808cc0e87169ca980d758b2bf88465cf3565463022078f8ca7ce2c563632eafb3af92b85392d7f15b9b92cf0a8ea93808551636
+ verifying signature...  'true'
+ hashing file 'manifest.json' (c78da59e288e6127cd3e88214c6e5e0945fde1d2895e795c826d906c01155131)
+ signature is '3045022001ae60f7afd9df4d63feb4e4aeaa9b1f582aabaa9682791636b0edd9299a8984022100aeb2b7b758136276018b650c7dbe55795bade015e996977d4290e700fd45
+ verifying signature...  'true'

creating zip file ''

Depending on the chosen delivery method, you can now:

  • Copy the file to an USB stick.
  • Upload the to the fw-update cloud service.