diff --git a/components/bootloader/subproject/signature_verification_key.bin b/components/bootloader/subproject/signature_verification_key.bin
new file mode 100644
index 0000000000..7585540015
--- /dev/null
+++ b/components/bootloader/subproject/signature_verification_key.bin
@@ -0,0 +1 @@
+YÏçIA))‰Ô->!ìPb4kè¹JœÊ¬He‚™£toÈ¡ÅŠK¡/¹œØ†”÷r›ÆfMÓ—D;þÿ|(E
\ No newline at end of file
diff --git a/components/bootloader_support/src/esp_image_format.c b/components/bootloader_support/src/esp_image_format.c
index f053a20692..0f29ab054d 100644
--- a/components/bootloader_support/src/esp_image_format.c
+++ b/components/bootloader_support/src/esp_image_format.c
@@ -18,6 +18,7 @@
 #include <soc/cpu.h>
 #include <esp_image_format.h>
 #include <esp_secure_boot.h>
+#define LOG_LOCAL_LEVEL ESP_LOG_ERROR
 #include <esp_log.h>
 #include <bootloader_flash.h>
 #include <bootloader_random.h>
@@ -166,15 +167,18 @@ goto err;
        rewritten the header - rely on esptool.py having verified the bootloader at flashing time, instead.
     */
     if (!is_bootloader) {
-#ifdef CONFIG_SECURE_BOOT_ENABLED
-        // secure boot images have a signature appended
-        err = verify_secure_boot_signature(sha_handle, data);
-#else
-        // No secure boot, but SHA-256 can be appended for basic corruption detection
-        if (sha_handle != NULL) {
-            err = verify_simple_hash(sha_handle, data);
+//#ifdef CONFIG_SECURE_BOOT_ENABLED
+        if (esp_secure_boot_enabled()) {
+          // secure boot images have a signature appended
+          err = verify_secure_boot_signature(sha_handle, data);
+//#else
+        } else {
+          // No secure boot, but SHA-256 can be appended for basic corruption detection
+          if (sha_handle != NULL) {
+              err = verify_simple_hash(sha_handle, data);
+          }
         }
-#endif // CONFIG_SECURE_BOOT_ENABLED
+//#endif // CONFIG_SECURE_BOOT_ENABLED
     } else { // is_bootloader
         // bootloader may still have a sha256 digest handle open
         if (sha_handle != NULL) {
diff --git a/examples/wifi/scan/sdkconfig b/examples/wifi/scan/sdkconfig
index ffd0b95b12..f7b174fb91 100644
--- a/examples/wifi/scan/sdkconfig
+++ b/examples/wifi/scan/sdkconfig
@@ -26,7 +26,12 @@ CONFIG_BOOTLOADER_VDDSDIO_BOOST=y
 #
 # Security features
 #
-CONFIG_SECURE_BOOT_ENABLED=
+CONFIG_SECURE_BOOT_ENABLED=y
+CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=
+CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y
+CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
+CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
+CONFIG_SECURE_BOOT_INSECURE=
 CONFIG_FLASH_ENCRYPTION_ENABLED=
 
 #
diff --git a/examples/wifi/scan/secure_boot_signing_key.pem b/examples/wifi/scan/secure_boot_signing_key.pem
new file mode 100644
index 0000000000..13e6fc7958
--- /dev/null
+++ b/examples/wifi/scan/secure_boot_signing_key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICMyAIK9+SQEoSM06ju1q2PHfyQf34uN0J6WS0OFwP9OoAoGCCqGSM49
+AwEHoUQDQgAEWc/nSUEpKYnULT4h7AVQYjRr6AK5SpzKrEhlgpmjdBBvyKHFBopL
+oS+5nNiGlPdym8YYZk3THReXRDv+/3woRQ==
+-----END EC PRIVATE KEY-----
diff --git a/examples/wifi/scan/signature_verification_key.bin b/examples/wifi/scan/signature_verification_key.bin
new file mode 100644
index 0000000000..7585540015
--- /dev/null
+++ b/examples/wifi/scan/signature_verification_key.bin
@@ -0,0 +1 @@
+YÏçIA))‰Ô->!ìPb4kè¹JœÊ¬He‚™£toÈ¡ÅŠK¡/¹œØ†”÷r›ÆfMÓ—D;þÿ|(E
\ No newline at end of file