'\" t
.TH "SYSTEMD\-SBSIGN" "1" "" "systemd 257.5" "systemd-sbsign"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd-sbsign \- Sign PE binaries for EFI Secure Boot
.SH "SYNOPSIS"
.HP \w'\fBsystemd\-sbsign\fR\ 'u
\fBsystemd\-sbsign\fR [OPTIONS...] {COMMAND}
.SH "DESCRIPTION"
.PP
\fBsystemd\-sbsign\fR
can be used to sign PE binaries for EFI Secure Boot\&.
.SH "COMMANDS"
.PP
\fBsign\fR
.RS 4
Signs the given PE binary for EFI Secure Boot\&. Takes a path to a PE binary as its argument\&. If the PE binary already has a certificate table, the new signature will be added to it\&. Otherwise a new certificate table will be created\&. The signed PE binary will be written to the path specified with
\fB\-\-output=\fR\&.
.sp
Added in version 257\&.
.RE
.SH "OPTIONS"
.PP
The following options are understood:
.PP
\fB\-\-output=\fR\fB\fIPATH\fR\fR
.RS 4
Specifies the path where to write the signed PE binary\&.
.sp
Added in version 257\&.
.RE
.PP
\fB\-\-private\-key=\fR\fB\fIPATH/URI\fR\fR, \fB\-\-private\-key\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR, \fB\-\-certificate=\fR\fB\fIPATH\fR\fR, \fB\-\-certificate\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR
.RS 4
Set the Secure Boot private key and certificate for use with the
\fBsign\fR\&. The
\fB\-\-certificate=\fR
option takes a path to a PEM encoded X\&.509 certificate or a URI that\*(Aqs passed to the OpenSSL provider configured with
\fB\-\-certificate\-source\fR\&. The
\fB\-\-certificate\-source\fR
takes one of
"file"
or
"provider", with the latter being followed by a specific provider identifier, separated with a colon, e\&.g\&.
"provider:pkcs11"\&. The
\fB\-\-private\-key=\fR
option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by
\fB\-\-private\-key\-source=\fR
as a
"type:name"
tuple, such as
"engine:pkcs11"\&. The specified OpenSSL signing engine or provider will be used to sign the PE binary\&.
.sp
Added in version 257\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Print a short help text and exit\&.
.RE
.PP
\fB\-\-version\fR
.RS 4
Print a short version string and exit\&.
.RE
.SH "SEE ALSO"
.PP
\fBbootctl\fR(1)