STM32_SigningTool_CLI issue with PKCS#11 and -hv 2.2

VDomi.2 · ‎2026-02-17

I was able to sign properly a tf-a image using STM32_SigningTool_CLI

STM32_SigningTool_CLI -bin tf-a.stm32 -o tf-a_Signed.stm32 --password password --public-key publicKey00.pem publicKey01.pem publicKey02.pem publicKey03.pem publicKey04.pem publicKey05.pem publicKey06.pem publicKey07.pem --private-key privateKey00.pem --type fsbl --header-version 2.2 -of 0x00000001

I was moving my setup to use a pkcs#11 to better manage my secrets. I was trying to use softhsmv2 as a first step. It seems that if -hv is specified the tool is failing while validating the inputs:

STM32_SigningTool_CLI -bin tf-a.stm32 -o tf-a_Signed.stm32 --password password --header-version 2.2 -of 0x00000001 --module /usr/lib/softhsm/libsofthsm2.so -ki 00 01 02 03 04 05 06 07 -pwd password -si 0x00 -aki 0x00 --header-version 2.2

This produces the error:

Error: Invalid Header version value
Header v2.2 accepts 8 public keys

And if I don't define --header-version the tool works properly, but the output is generated using header version 2.0.

VDomi.2 · ‎2026-02-24

Hello again,

Just to add more info: I have checked with version v2.22.0 of the Signing Tool and the issue is still present.

From my side I have moved to my own tool to perform the signing. But I am happy to help to test the issue.

Amine_Jridi · ‎2026-03-02

Hello @VDomi.2,

Thank you for bringing this to our attention. I have submitted a ticket to our team for resolution.

Internal ticket number: 228030 (This is an internal tracking number and is not accessible or usable by customers).

Thanks,

Amine.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.