# Sign images
Image signing ensures the authenticity, integrity, and origin of the images.
To flash the images, do the following:
1. For using different signing methods and the secure image
functionality, see [SecTools V2: Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-12/resource/80-NM248-12_REV_AB_SecTools_V2__Secure_Image_User_Guide.pdf).
2. If the local signer is used and keys and certificates are generated
using these commands, see [Generate local (insecure) root key and certificate](https://docs.qualcomm.com/doc/80-70017-11/topic/generate-local-insecure-root-key-and-certificates.html#generate-local-insecure-root-key-and-certificates).
3. To sign a single image, run the following command, where `tz.mbn`
is used as an example.
>
>
> Note
>
>
> You can replace the values of oem-id “**0x1**” and oem-product-id “**0xabcd**” according your requirement.
/common/sectoolsv2/ext//sectools.exe secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile /common/sectoolsv2/_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
Copy to clipboard
The following is a sample command for QCS9075/QCS9100.
>
>
> /common/sectoolsv2/ext//sectools.exe secure-image --sign /path/to/tz.mbn --image-id=TZ --security-profile /common/sectoolsv2/lemans_security_profile.xml --oem-id=0x1 --oem-product-id=0xabcd --anti-rollback-version=0x0 --signing-mode=LOCAL --root-certificate=./OEM-KEYS/qpsa_rootca.cer --ca-certificate=./OEM-KEYS/qpsa_attestca.cer --ca-key=./OEM-KEYS/qpsa_attestca.key --outfile ./signed_images_out/tz.mbn
> Copy to clipboard
4. For the images that should be split, use the `--pil-split` option.
5. For signing the complete metabuild, use the following commands.
>
>
> - ::
> - ./sectools metabuild-secure-image –image-finder <meta>/common/build/app/image\_finder.py –sign –oem-id=0x1 –oem-product-id=0xabcd –anti-rollback-version=0x0 –signing-mode LOCAL –root-certificate=./OEM-KEYS/qpsa\_rootca.cer –ca-certificate=./OEM-KEYS/qpsa\_attestca.cer –ca-key=./OEM-KEYS/qpsa\_attestca.key –chipset LEMANS –outdir <path/to/output>
For more information, see [SecTools V2: Metabuild Secure Image User Guide](https://docs.qualcomm.com/bundle/80-NM248-17/resource/80-NM248-17_REV_AB_SecTools_V2__Metabuild_Secure_Image_User_Guide.pdf).
Note
The *SecTools* guides are available to licensed developers with authorized access.
Last Published: Jan 30, 2025
[Previous Topic
Generate SHA-384 hash for RSA and ECDSA](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/generate-sha-384-hash-for-rsa-and-ecdsa.md) [Next Topic
Generate signed sec.elf image](https://docs.qualcomm.com/bundle/publicresource/80-70017-11/topics/generate-signed-sec-elf-image.md)