.TH PESIGN 1 "Thu Jun 21 2012" .SH NAME pesign \- command line tool for signing UEFI applications .SH SYNOPSIS \fBpesign\fR [\-\-in=\fIinfile\fR | \-i \fIinfile\fR] [\-\-out=\fIoutfile\fR | \-o \fIoutfile\fR] [\-\-certdir=\fIcertdir/fR | \-n \fIcertdir\fR] [\-\-nss\-token=\fItoken\fR | \-t \fItoken\fR] [\-\-certificate=\fInickname\fR | \-c \fInickname\fR] [\-\-force | \-f] [\-\-sign | \-s] [\-\-hash | \-h] [\-\-digest_type=\fIdigest\fR | \-d \fIdigest\fR] [\-\-show\-signature | \-S ] [\-\-remove\-signature | \-r ] [\-\-export\-pubkey=\fIoutkey\fR | \-K \fIoutkey\fR] [\-\-export\-cert=\fIoutcert\fR | \-C \fIoutcert\fR] [\-\-ascii\-armor | \-a] [\-\-daemonize | \-D] [\-\-nofork | \-N] [\-\-signature\-number=\fIsignum\fR | \-u \fIsignum\fR] .SH DESCRIPTION \fBpesign\fR is a command line tool for manipulating signatures and cryptographic digests of UEFI applications. .SH OPTIONS .TP \fB-\-in\fR=\fIinfile\fR Specify input binary. .TP \fB-\-out\fR=\fIoutfile\fR Specify output binary. .TP \fB-\-certdir\fR=\fIcertdir\fR Specify nss certificate database directory. .TP \fB-\-nss-token\fR=\fItoken\fR Use the specified NSS token's certificate database. .TP \fB-\-certificate\fR=\fInickname\fR Use the certificate database entry with the specified nickname for signing. .TP \fB-\-force\fR Overwrite output files. Without this parameter, \fBpesign\fR will refuse to overrite any output files which already exist. .TP \fB-\-sign\fR Sign the input binary with the key specified by \fB-\-certificate\fR. .TP \fB-\-hash\fR Display the cryptographic digest of the input binary on standard output. .TP \fB-\-digest_type\fR=\fIdigest\fR Use the specified digest in hashing and signing operations. By default, this value is "sha256". Use "\-\-digest_type=help" to list the available digests. .TP \fB-\-show-signature\fR Show information about the signature of the input binary. .TP \fB-\-remove-signature\fR Remove the signature section from the binary. .TP \fB-\-signature-number\fR=\fIsignum\fR Specify which signature to operate on. This field is zero-indexed. .TP \fB-\-export-pubkey\fR=\fIoutkey\fR Export the public key specified by \-\-certificate to \fIoutkey\fR .TP \fB-\-export-cert\fR=\fIoutcert\fR Export the certificate specified by \-\-certificate to \fIoutcert\fR .TP \fB-\-ascii\fR Use ascii armoring on exported certificates. .TP \fB-\-daemonize\fR Spawn a daemon for use with \fBpesign-client(1)\fR .TP \fB-\-nofork\fR Do not fork when using \fB-\-daemonize\fR. .SH EXAMPLES If you have a certificate file and private key file, the following steps may be used to sign a PE image: .RS 4 # Create a pkcs12 file from private key and .RE .RS 4 # certificate file. .RE .RS 4 host:~$ openssl pkcs12 \-export \-out foo_key.p12 \\ .RE .RS 20 \-inkey signing_key.pem \\ .RE .RS 20 \-in xyz_cert.x509.pem .LP .RE .RS 4 # Import pkcs12 file into pesign db .RE .RS 4 host:~$ pk12util \-i foo_key.p12 \-d /etc/pki/pesign .LP .RE .RS 4 # Do the signing .RE .RS 4 host:~$ pesign \-i \-o \\ .RE .RS 19 \-c \-s .RE .LP Please note that this is just an example, and that recommended best practice is to always store private keys in a FIPS 140-2 hardware security module, level 2 or higher. .SH "SEE ALSO" .BR pesign-client (1) .LP .BR FIPS\ 140-2 http://csrc.nist.gov/publications/PubsFIPS.html .SH AUTHORS .nf Peter Jones .fi