Example FIT image descriptor with signatures & buildroot post-image hook / https://blog.inf.re/buildroot-cheatsheet.html

image.its

/dts-v1/;

/ {
	description = "Example FIT image";
	#address-cells = <1>;

	images {
		kernel@1 {
			description = "default kernel";
			data = /incbin/("./zImage");
			type = "kernel";
			arch = "arm";
			os = "linux";
			compression = "none";
			load = <0x42000000>;
			entry = <0x42000000>;
			hash@1 {
				algo = "sha1";
			};
		};

		ramdisk@1 {
			description = "rootfs";
			data = /incbin/("./rootfs.cpio.gz");
			type = "ramdisk";
			arch = "arm";
			os = "linux";
			compression = "gzip";
			load = <00000000>;
			entry = <00000000>;
			hash@1 {
				algo = "sha1";
			};
		};

		fdt@1 {
			description = "device tree";
			data = /incbin/("./sun8i-h2-plus-orangepi-zero.dtb");
			type = "flat_dt";
			arch = "arm";
			compression = "none";
			hash@1 {
				algo = "sha1";
			};
		};

	};

	configurations {
		default = "config@1";

		config@1 {
			description = "default configuration";
			kernel = "kernel@1";
			ramdisk = "ramdisk@1";
			fdt = "fdt@1";

			signature@1 {
				algo = "sha1,rsa2048";
				key-name-hint = "dev";
				sign-images = "fdt", "kernel", "ramdisk";
			};
		};
	};
};

post-image-signatures.sh

#!/bin/sh
# post-image-signatures.sh - build full .itb image with signatures

set -e

BOARD_DIR="$( dirname "${0}" )"
KEYS_DIR="${BOARD_DIR}/../../keys"
MKIMAGE="${HOST_DIR}/bin/mkimage"
IMAGE_ITS="image.its"
OUTPUT_NAME="image.itb"

# We have to copy .its file over to images/ for /incbin/ to work
cp "${BOARD_DIR}/${IMAGE_ITS}" "${BINARIES_DIR}"

cd "${BINARIES_DIR}"

echo " -> Building..."
"${MKIMAGE}" -D "-I dts -O dtb -p 2000" -f ${IMAGE_ITS} ${OUTPUT_NAME}

echo " -> Signing..."
"${MKIMAGE}" -D "-I dts -O dtb -p 2000" -F -k "${KEYS_DIR}" -K "${BUILD_DIR}/uboot-2017.03/dts/dt.dtb" -r ${OUTPUT_NAME}

rm ${IMAGE_ITS}

# Rebuild uboot with patched dtb
cd "${BUILD_DIR}/.."
make uboot-rebuild