pesign man page

pesign — command line tool for signing UEFI applications

Synopsis

pesign [--in=infile | -i infile]
      [--out=outfile | -o outfile]
      [--certdir=certdir/fR | -n certdir]
      [--nss-token=token | -t token]
      [--certificate=nickname | -c nickname]
      [--force | -f] [--sign | -s] [--hash | -h]
      [--digest_type=digest | -d digest]
      [--show-signature | -S ] [--remove-signature | -r ]
      [--export-pubkey=outkey | -K outkey]
      [--export-cert=outcert | -C outcert]
      [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
      [--signature-number=signum | -u signum]

Description

pesign is a command line tool for manipulating signatures and  cryptographic digests of UEFI applications.

Options

--in=infile

Specify input binary.

--out=outfile

Specify output binary.

--certdir=certdir

Specify nss certificate database directory.

--nss-token=token

Use the specified NSS token's certificate database.

--certificate=nickname

Use the certificate database entry with the specified nickname for signing.

--force

Overwrite output files. Without this parameter, pesign will refuse to overrite any output files which already exist.

--sign

Sign the input binary with the key specified by --certificate.

--hash

Display the cryptographic digest of the input binary on standard output.

--digest_type=digest

Use the specified digest in hashing and signing operations. By default, this value is "sha256".  Use "--digest_type=help" to list the available digests.

--show-signature

Show information about the signature of the input binary.

--remove-signature

Remove the signature section from the binary.

--signature-number=signum

Specify which signature to operate on.  This field is zero-indexed.

--export-pubkey=outkey

Export the public key specified by --certificate to outkey

--export-cert=outcert

Export the certificate specified by --certificate to outcert

--ascii-armor

Use ascii armoring on exported certificates.

--daemonize

Spawn a daemon for use with pesign-client(1)

--nofork

Do not fork when using --daemonize.

Examples

If you have a certificate file and private key file, the following steps may be used to sign a PE image:

# Create a pkcs12 file from private key and
# certificate file.
host:~$ openssl pkcs12 -export -out foo_key.p12 \
-inkey signing_key.pem \
-in xyz_cert.x509.pem
# Import pkcs12 file into pesign db
host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
# Do the signing
host:~$ pesign -i <input-file> -o <output-file> \
-c <cert nickname>  -s

Please note that this is just an example, and that recommended best practice is to always store private keys in a FIPS 140-2 hardware security module, level 2 or higher.

See Also

pesign-client(1)

FIPS 140-2 http://csrc.nist.gov/publications/PubsFIPS.html

Authors

Peter Jones

Referenced By

authvar(1), efikeygen(1), efisiglist(1), pesign-client(1).

Thu Jun 21 2012