This is on an i.MX7D, related to manufacturing protection
I have a message that when I sign it, I'm unable to verify it. The message is 220 bytes long. If I truncate it to 219 bytes or extend it to 221 bytes and sign it, I can verify the signature. If I try a different 220 byte message, that works also. The behavior I'm seeing seems to related to the particular data I'm trying to sign.
For signing, I'm using u-boot's mfgprot command. For verification, I'm using a tool I wrote. If you need the source, I can provide it.
I've include the output of signing the message as 219, 220, and 221 bytes long. I've also included the output of my verification tool. As you can see, the hashes reported by u-boot match the ones I calculated during verification.
Edited to add:
It's giving me some invalid HTML error, so I'm just attaching the data as a text file.
We're seeing about 20-25% of the messages that we sign fail to verify.
On one of the messages, I've tried truncating to different sizes and some pass, some fail. The original message is 165 bytes long, I tried every size down to 1 byte and 17 of the messages fail verification. It's consistent - if a particular message fails to verify and I sign it again, the new signature will also fail to verify.