fix(espsecure): Allow signing multiple files in one go

peterdragun · peterdragun · commit 0177d611acfe · 2025-08-22T12:37:23.000+02:00
diff --git a/espsecure/__init__.py b/espsecure/__init__.py
@@ -21,6 +21,7 @@
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 from cryptography.utils import int_to_bytes
 
+from esptool.cli_util import OptionEatAll
 from esptool.logger import log
 
 import esptool
@@ -1645,6 +1646,8 @@ def generate_signing_key_cli(version, scheme, keyfile):
     "--keyfile",
     "-k",
     type=click.File("rb"),
+    cls=OptionEatAll,
+    required=True,
     multiple=True,
     help="Private key file for signing. Key is in PEM format.",
 )
@@ -1677,13 +1680,15 @@ def generate_signing_key_cli(version, scheme, keyfile):
 @click.option(
     "--pub-key",
     type=click.File("rb"),
+    cls=OptionEatAll,
     multiple=True,
     help="Public key files corresponding to the private key used to generate the "
     "pre-calculated signatures. Keys should be in PEM format.",
 )
 @click.option(
     "--signature",
     type=click.File("rb"),
+    cls=OptionEatAll,
     multiple=True,
     default=None,
     help="Pre-calculated signatures. Signatures generated using external private keys "
diff --git a/test/test_espsecure.py b/test/test_espsecure.py
@@ -197,6 +197,33 @@ def test_sign_v2_data(self, scheme):
             output_file.close()
             os.unlink(output_file.name)
 
+    def test_sign_v2_multiple_keys_cli(self):
+        keydir = os.path.join(TEST_DIR, "secure_images")
+        with tempfile.NamedTemporaryFile(delete=False) as output_file:
+            self.run_espsecure(
+                "sign-data --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key.pem "
+                f"{keydir}/rsa_secure_boot_signing_key2.pem "
+                f"{keydir}/rsa_secure_boot_signing_key3.pem "
+                f"--output {output_file.name} "
+                f"{keydir}/bootloader_unsigned_v2.bin"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key.pem "
+                f"{output_file.name}"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key2.pem "
+                f"{output_file.name}"
+            )
+            self.run_espsecure(
+                "verify-signature --version 2 --keyfile "
+                f"{keydir}/rsa_secure_boot_signing_key3.pem "
+                f"{output_file.name}"
+            )
+
     def test_sign_v2_multiple_keys(self):
         # 3 keys + Verify with 3rd key
         try:
