PESIGN(1) | General Commands Manual | PESIGN(1) |
NAME¶
pesign - command line tool for signing UEFI applicationsSYNOPSIS¶
pesign [--in=infile | -i infile] [--out=outfile | -o outfile] [--certdir=certdir/fR | -n certdir] [--nss-token=token | -t token] [--certificate=nickname | -c nickname] [--force | -f] [--sign | -s] [--hash | -h] [--digest_type=digest | -d digest] [--show-signature | -S ] [--remove-signature | -r ] [--export-pubkey=outkey | -K outkey] [--export-cert=outcert | -C outcert] [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N] [--signature-number=signum | -u signum]DESCRIPTION¶
pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.OPTIONS¶
- --in=infile
- Specify input binary.
- --out=outfile
- Specify output binary.
- --certdir=certdir
- Specify nss certificate database directory.
- --nss-token=token
- Use the specified NSS token's certificate database.
- --certificate=nickname
- Use the certificate database entry with the specified nickname for signing.
- --force
- Overwrite output files. Without this parameter, pesign will refuse to overrite any output files which already exist.
- --sign
- Sign the input binary with the key specified by --certificate.
- --hash
- Display the cryptographic digest of the input binary on standard output.
- --digest_type=digest
- Use the specified digest in hashing and signing operations. By default, this value is "sha256". Use "--digest_type=help" to list the available digests.
- --show-signature
- Show information about the signature of the input binary.
- --remove-signature
- Remove the signature section from the binary.
- --signature-number=signum
- Specify which signature to operate on. This field is zero-indexed.
- --export-pubkey=outkey
- Export the public key specified by --certificate to outkey
- --export-cert=outcert
- Export the certificate specified by --certificate to outcert
- --ascii
- Use ascii armoring on exported certificates.
- --daemonize
- Spawn a daemon for use with pesign-client(1)
- --nofork
- Do not fork when using --daemonize.
EXAMPLES¶
If you have a certificate file and private key file, the following steps may be used to sign a PE image:# Create a pkcs12 file from private key and
# certificate file.
host:~$ openssl pkcs12 -export -out foo_key.p12 \
-inkey signing_key.pem \
-in xyz_cert.x509.pem
# Import pkcs12 file into pesign db
host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
# Do the signing
host:~$ pesign -i <input-file> -o
<output-file> \
-c <cert nickname> -s
Please note that this is just an example, and that recommended best practice is to always store private keys in a FIPS 140-2 hardware security module, level 2 or higher.
SEE ALSO¶
pesign-client(1)AUTHORS¶
Peter Jones
Thu Jun 21 2012 |