.TH PESIGN 1 "Thu Jun 21 2012"
.SH NAME
pesign \- command line tool for signing UEFI applications
.SH SYNOPSIS
\fBpesign\fR [\-\-in=\fIinfile\fR | \-i \fIinfile\fR]
[\-\-out=\fIoutfile\fR | \-o \fIoutfile\fR]
[\-\-certdir=\fIcertdir/fR | \-n \fIcertdir\fR]
[\-\-nss\-token=\fItoken\fR | \-t \fItoken\fR]
[\-\-certificate=\fInickname\fR | \-c \fInickname\fR]
[\-\-force | \-f] [\-\-sign | \-s] [\-\-hash | \-h]
[\-\-digest_type=\fIdigest\fR | \-d \fIdigest\fR]
[\-\-show\-signature | \-S ] [\-\-remove\-signature | \-r ]
[\-\-export\-pubkey=\fIoutkey\fR | \-K \fIoutkey\fR]
[\-\-export\-cert=\fIoutcert\fR | \-C \fIoutcert\fR]
[\-\-ascii\-armor | \-a] [\-\-daemonize | \-D] [\-\-nofork | \-N]
[\-\-signature\-number=\fIsignum\fR | \-u \fIsignum\fR]
.SH DESCRIPTION
\fBpesign\fR is a command line tool for manipulating signatures and
cryptographic digests of UEFI applications.
.SH OPTIONS
.TP
\fB-\-in\fR=\fIinfile\fR
Specify input binary.
.TP
\fB-\-out\fR=\fIoutfile\fR
Specify output binary.
.TP
\fB-\-certdir\fR=\fIcertdir\fR
Specify nss certificate database directory.
.TP
\fB-\-nss-token\fR=\fItoken\fR
Use the specified NSS token's certificate database.
.TP
\fB-\-certificate\fR=\fInickname\fR
Use the certificate database entry with the specified nickname for signing.
.TP
\fB-\-force\fR
Overwrite output files. Without this parameter, \fBpesign\fR will refuse
to overrite any output files which already exist.
.TP
\fB-\-sign\fR
Sign the input binary with the key specified by \fB-\-certificate\fR.
.TP
\fB-\-hash\fR
Display the cryptographic digest of the input binary on standard output.
.TP
\fB-\-digest_type\fR=\fIdigest\fR
Use the specified digest in hashing and signing operations. By default,
this value is "sha256". Use "\-\-digest_type=help" to list the available
digests.
.TP
\fB-\-show-signature\fR
Show information about the signature of the input binary.
.TP
\fB-\-remove-signature\fR
Remove the signature section from the binary.
.TP
\fB-\-signature-number\fR=\fIsignum\fR
Specify which signature to operate on. This field is zero-indexed.
.TP
\fB-\-export-pubkey\fR=\fIoutkey\fR
Export the public key specified by \-\-certificate to \fIoutkey\fR
.TP
\fB-\-export-cert\fR=\fIoutcert\fR
Export the certificate specified by \-\-certificate to \fIoutcert\fR
.TP
\fB-\-ascii\fR
Use ascii armoring on exported certificates.
.TP
\fB-\-daemonize\fR
Spawn a daemon for use with \fBpesign-client(1)\fR
.TP
\fB-\-nofork\fR
Do not fork when using \fB-\-daemonize\fR.
.SH EXAMPLES
If you have a certificate file and private key file, the following steps
may be used to sign a PE image:
.RS 4
# Create a pkcs12 file from private key and
.RE
.RS 4
# certificate file.
.RE
.RS 4
host:~$ openssl pkcs12 \-export \-out foo_key.p12 \\
.RE
.RS 20
\-inkey signing_key.pem \\
.RE
.RS 20
\-in xyz_cert.x509.pem
.LP
.RE
.RS 4
# Import pkcs12 file into pesign db
.RE
.RS 4
host:~$ pk12util \-i foo_key.p12 \-d /etc/pki/pesign
.LP
.RE
.RS 4
# Do the signing
.RE
.RS 4
host:~$ pesign \-i \-o