For some reason mkimage allows you to sign with public keys that are not paired with the private key leading to fit images that will never be bootable due to signature verification failure like in the title of the post.
For example imagine you generate 2 sets of keys by doing :
#From https://github.com/siemens/u-boot/blob/master/doc/uImage.FIT/beaglebone_vboot.txt #priv key openssl genrsa -F4 -out keys/k1.key 2048 openssl genrsa -F4 -out keys/k2.key 2048 #pub key openssl req -batch -new -x509 -key keys/k1.key -out keys/dev.crt #Somehow mess things up: mv keys/k2.key keys/k1.key
If you follow the above instructions and run mkimage on the keys directory, you will get no error, which is kind of amazing. What will happen is that next time you try to boot the fit image the validation will always fail.
A good way to make sure that you do not have such a situation going all the way to a board, and in the worst case bricking it, is to check with a tool included in u-boot:
uboot-fit_check_sign -f $fit_image -k $uboot_with_dtb
Extra: mkimage has an extra way of making things look fine when they are not.
When running mkimage and asking it to sign an image and the keys directory does not exist or there is some issue with the keys passed, mkimage will happily return success, even if it does not fulfill the request:
$ mkimage -f sign.its -K $dtb_with_pubkeysz -k $non_existing_dir -r image.fit $ echo $? 0
For a good primer on how fit images and signatures work with u-boot, have a look at this doc It is a really good text. Do not get fooled by the beaglebone name, as it is generic for other boards.