CreateSIS

The CreateSIS tool is a wrapper around the MakeSIS, SignSIS and MakeKeys tools.

This tool supports the creation and signing of SIS files, and generation of keys and certificate pairs for signing. It also displays signatures and certificate chain details of a SIS file.

Syntax

createsis [OPTIONS] <ARGS>

The following table lists the options supported by the CreateSIS tool.

Options Description Usage

create

Creates and signs the SIS file with a trusted key.

createsis create [-cert <cert>] [-key <key>] [-pass <passphrase>] <pkgfile>

sign

Signs a pre-existing SIS file with a trusted key.

Note: The output SIS file created is different from the input SIS file, therefore the original data is not destroyed.

createsis sign –cert <cert> -key <key> [-pass <passphrase>] <sis_input> <sis_output>

dump

Displays all valid signatures and certificates associated with the SIS file.

createsis dump <sisfile>

strip

Removes the most recent signatures from the SIS file.

createsis strip <sisfile>

The following table lists the arguments to be specified with the CreateSIS tool.

Arguments Description

-cert

Specifies the certificate file used for signing.

-key

Specifies private key file of the certificate.

-pass

Specifies passphrase of the private key file.

sis_input

Specifies the SIS file to be signed, unsigned or investigated.

sis_output

Specifies the name of the output SIS file.

pkgfile

Specifies the PKG file, for which a SIS file is generated.

sisfile

Specifies the name of the output SIS file to be generated.

Note: If not specified, is derived from the name of the PKG file, but with a SIS file extension.

Examples

The following examples illustrate the usage of the CreateSIS tool:

  • To create and sign a SIS file using a trusted key

    You can specify the trusted End Entity (EE) certificate and matching key using the -cert and -key parameters while creating the SIS file. Optionally, you can specify a passphrase to decrypt the private key using the -pass parameter.

    The trusted EE Certificate is one that chains back to a trusted root in the target device SWI certstore.

    createsis create -cert trustedchain.pem -key eecertkey.key mypackage.pkg
  • To sign a pre-existing SIS file with a trusted key

    You can sign and re-sign a pre-existing SIS file using the sign method. To sign a package, a key and certificate chain must be provided on the command line. The output SIS file is different from the input SIS file, so the original data is not destroyed.

    createsis sign -cert trustedchain.pem -key eecertkey.key mysis.sis mysis-signed.sis
  • To sign a pre-existing SIS file with a self-signed certificate

    When using sign method if key-certificate pair is not provided then CreateSIS signs the specified SIS file with an automatically generated self-signed certificate.

    createsis sign mysis.sis mysis-signed.sis

Related reference