I recently faced a challenge while setting up a CI pipeline for my nRF52840 project. The goal was to automate the compilation, signing, and uploading of firmware images without saving the private key to disk, as I don’t have direct control over the CI machine. I stumbled upon an old PR that mentioned this feature was added to nrfutil, but I struggled to implement it correctly.

Initially, I tried saving the private key to an environment variable and passing it using process substitution. However, nrfutil kept throwing an error, indicating that it couldn’t find the file. It seemed like nrfutil was expecting a file path rather than the key content directly.

After some research and experimentation, I discovered that nrfutil supports reading keys from stdin. By redirecting the private key content into nrfutil, I could avoid saving it to disk altogether. Here’s how I did it:

bash

Read the private key from a file and pass it to nrfutil

nrfutil pkg generate --key-file <(cat private_key.pem) --output-file signed_package.zip firmware.hex

This approach worked seamlessly! It not only solved the security concern of saving the key to disk but also streamlined the CI process. I’m now confident that my workflow is both secure and efficient.

I hope this solution helps others facing similar challenges. If anyone has additional tips or alternative methods, I’d love to hear about them!