PESIGN(1) General Commands Manual PESIGN(1) NAME pesign - tool for signing UEFI applications SYNOPSIS pesign -i file [-o file] [-f] [-n directory] [-t token] [-c nickname] [-u number] [-m file] [-e file] [-I file] [-E file] [-R file] [-K file] [-C file] [-a] [-l] [-S] [-v] <-s | -D [-N] | -r | -h [-d digest] [-P | -p]> DESCRIPTION pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications. OPTIONS -i file | --in file Input PE file for signing -o file | --out file Output PE file for signing -f | --force Overwrite existing file specified with --out -n directory | --certdir directory Use the NSS Database in directory (default: /etc/pki/pesign) -t token | --token token Use the NSS token named token -c nickname | --certificate nickname Use the certificate called nickname in the NSS Database -u number | --signature-number number Signature number, indexed from 0, for use with --remove-signature, --export-signature, or --show-signature (default: 0) -m file | --import-signature file Import Authenticode signature from file -e file | --export-signature file Export Authenticode signature to file -I file | --import-signed-attributes file Import PKCS-7 SignedAttributes (with no signature) from file -E file | --export-signed-attributes file Export PKCS-7 SignedAttributes (with no signature) to file -R file | --import-raw-signature file Import signature digest from file -K file | --export-pubkey file Export public key from the NSS Database specified by --token and --certificate to file -C file | --export-cert file Export certificate from the NSS Database specified by --token and --certificate to file -a | --ascii-armor When exporting certificates, encode them in ascii-armor -l | --list-signatures List signatures -S | --show-signature Show information about signatures -v | --verbose Be more verbose -s | --sign Create a new signature -D | --daemonize Run as a daemon -N | --nofork Do not fork when daemonizing (daemon runs in foreground) -r | --remove-signature Remove signature -h | --hash Display the Authenticode hash of the binary -d digest | --digest-type digest Use the cryptorgaphic digest with --hash (use help to list options) (default: sha256) -P | --padding | -p | --nopadding Do or do not pad the binary according to PE 9.3 rules before signing or hashing (default: --padding) Padding is recommended (and in many circumstances required) even for binaries which predate the current PE spec, and is enabled by default as of pesign 113. EXAMPLES Signing with the certificate and private key in individual files If you have a certificate file and private key file, the following steps may be used to sign a PE image: # Create a pkcs12 file from private key and certificate file. host:~$ openssl pkcs12 -export -out foo_key.p12 \ -inkey signing_key.pem -in xyz_cert.x509.pem # Import pkcs12 file into pesign db host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign # Do the signing host:~$ pesign -c my-signing-cert -s \ -i foo.unsigned.efi -o foo.signed.efi Please note that this is just an example, and that recommended best practice is to always store private keys in a FIPS 140-2 Hardware Security Module (HSM), level 2 or higher. Signing using an HSM If you have a key pair in your HSM and your HSM vendor provides a PKCS-11 library, you can use it with NSS directly: # Add the HSM PKCS-11 library to the NSS database host:~$ modutil -dbdir /etc/pki/pesign -add vendor-engine \ -libfile /usr/lib64/pkcs11/vendor-engine.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q ' to abort, or to continue: Module "vendor-engine" added to database. # List the added module host:~$ modutil -dbdir /etc/pki/pesign -list ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.52 slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 slot: NSS User Private Key and Certificate Services token: NSS Certificate DB uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. opensc-pkcs11.so library name: /usr/lib64/pkcs11/opensc-pkcs11.so uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.20 slots: 1 slot attached status: loaded slot: Generic Smart Card Reader Interface [Smart Card Reader Interf... token: OpenSC Card (myorg-sb-signer) uri: pkcs11:token=OpenSC%20Card%20(myorg-sb-signer);manufacturer=OpenSC%20Project;serial=56516a130f35;model=PKCS%2315 ----------------------------------------------------------- # List certs in tokens host:~$ certutil -d /etc/pki/pesign \ -h "OpenSC Card (myorg-sb-signer)" -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "OpenSC Card (myorg-sb-signer)": OpenSC Card (myorg-sb-signer):/CN=My Org's SB Signer u,u,u # Sign with private key in HSM host:~$ pesign -t "OpenSC Card (myorg-sb-signer)" \ -c "OpenSC Card (myorg-sb-signer):/CN=My Org's SB Signer" \ -s -i foo.unsigned.efi -o foo.efi Signing using an HSM with an OpenSSL Engine If you have a key pair in your HSM but can't access it directly, but do have access to the openssl command line tool configured with your vendor's libraries, you can still use pesign to sign your PE binaries: # Import the public certificate into the NSS Database host:~$ certutil -d /etc/pki/pesign -A -n myorg-sb-signer \ -t ,,u -i myorg-sb-signer.cer # Export the PKCS-7 SignedAttributes section pesign generates host:~$ pesign -i foo.unsigned.efi -E foo.sattrs.bin # Generate a signature using OpenSSL host:~$ openssl dgst -sha256 -sign $KEY \ --keyform ENGINE --engine $ENGINEID \ -out foo.sattrs.sig foo.sattrs.bin # Import the signature with the original SignedAttributes into # the PE binary host:~$ pesign -c myorg-sb-signer \ -R foo.sattrs.sig -I foo.sattrs.bin \ -i foo.unsigned.efi -o foo.efi STANDARDS B. Kaliski, PKCS #7: Cryptographic Message Syntax v1.5, Internet Engineering Task Force, RFC 2315, https://tools.ietf.org/html/rfc2315 , March 1998. K. Moriarty, M. Nystrom, S. Parkinson, A. Rusch, and M. Scott, PKCS #12: Personal Information Exchange Syntax v1.1, Internet Engineering Task Force, RFC 7292, https://tools.ietf.org/html/rfc7292 , July 2014. PKCS11 Technical Committee, PKCS#11: Cryptographic Token Interface Standard, OASIS, https://www.cryptsoft.com/pkcs11doc/. M. Nystrom, PKCS #15--A Cryptographic-Token Information Format Standard, RSA Laboratories, https://www.usenix.org/legacy/events/smartcard99/full_papers/nystrom/nystrom.pdf , 1999. Portable Executable, Microsoft, https://docs.microsoft.com/en-us/windows/win32/debug/pe-format , August 26, 2019. Windows Authenticode Portable Executable Signature Format, Microsoft, https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx , March 21, 2008. Federal Information Processing Standard 140-2, United States Department of Commerce, FIPS 140-2, http://csrc.nist.gov/publications/PubsFIPS.html , National Institute of Standards and Technology. SEE ALSO certutil(1), efikeygen(1), modutil(1), opensc-tool(1), openssl(1ssl), openssl-dgst(1ssl), pesign-client(1), pk12util(1), pkcs15-init(1), AUTHORS Peter Jones Vikas Charak (examples) Linux June 4, 2020 Linux