.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.49.3.
.TH SIGN-EFI-SIG-LIST "1" "March 2024" "sign-efi-sig-list 1.9.2" "User Commands"
.SH NAME
sign-efi-sig-list - signing tool for secure variables as EFI Signature Lists
.SH SYNOPSIS
.B sign-efi-sig-list
[\fI\,-r\/\fR] [\fI\,-m\/\fR] [\fI\,-a\/\fR] [\fI\,-g <guid>\/\fR] [\fI\,-o\/\fR] [\fI\,-t <timestamp>\/\fR] [\fI\,-i <infile>\/\fR] [\fI\,-c <crt file>\/\fR] [\fI\,-k <key file>\/\fR] [\fI\,-e <engine>\/\fR] \fI\,<var> <efi sig list file> <output file>\/\fR
.SH DESCRIPTION
Produce an output file with an authentication header for direct
update to a secure variable.  This output may be signed by the usual keys directly
or may be split for external signing using the \fB\-o\fR and \fB\-i\fR options.
.SH OPTIONS
.TP
\fB\-r\fR
the certificate is rsa2048 rather than x509 [UNIMPLEMENTED]
.TP
\fB\-m\fR
Use a monotonic count instead of a timestamp [UNIMPLEMENTED]
.TP
\fB\-a\fR
Prepare the variable for APPEND_WRITE rather than replacement
.TP
\fB\-o\fR
Do not sign, but output a file of the exact bundle to be signed
.TP
\fB\-t\fR <timestamp>
Use <timestamp> as the timestamp of the timed variable update
If not present, then the timestamp will be taken from system
time.  Note you must use this option when doing detached
signing otherwise the signature will be incorrect because
of timestamp mismatches.
.TP
\fB\-i\fR <infile>
take a detached signature (in PEM format) of the bundle
produced by \fB\-o\fR and complete the creation of the update
.TP
\fB\-g\fR <guid>
Use <guid> as the signature owner GUID
.TP
\fB\-c\fR <crt>
<crt> is the file containing the signing certificate in PEM format
.TP
\fB\-k\fR <key>
<key> is the file containing the key for <crt> in PEM format
.TP
\fB\-e\fR <engine>
Use openssl engine <engine> for the private key
.SH EXAMPLES

To sign a simple append update to db which has been prepared
as an EFI Signature List in DB.esl and output the result
with the authentication header in DB.auth

sign-efi-sig-list -a -c KEK.crt -k KEK.key db DB.esl DB.auth

To do a detached signature in the same way

sign-efi-sig-list -a -t 'Jul 21 09:39:37 BST 2012' -o db DB.esl DB.forsig

Now sign the DB.forsig file in the standard openssl way.
Note that the standards require sha256 as the signature algorithm

openssl smime -sign -binary -in DB.forsig -out DB.signed -signer KEK.crt -inkey KEK.key -outform DER -md sha256

Which produces a detached PKCS7 signature in DB.signed.  Now
feed this back into the program remembering to keep the same
timestamp (and the -a flag):

sign-efi-sig-list -a -i DB.signed -t 'Jul 21 09:39:37 BST 2012' db DB.auth

To delete a key, simply sign an empty EFI signature list
file, so to produce an variable update that will delete the
PK:

> null.esl

And then sign it in the standard way (must not be an append
write update):

sign-efi-sig-list -c PK.crt -k PK.key PK null.esl PK.auth

Once you have the .auth file conveyed to the UEFI platform,
you can use the UpdateVars.efi program to apply it

UpdateVars [-a] db DB.auth

Where the -a flag must be present if the DB.auth file was
created as an append write update and absent if its
replacing the variable.
.SH "SEE ALSO"

cert-to-efi-sig-list(1) for details on how to produce EFI
signature lists.