'\" t .TH "SYSTEMD\-SBSIGN" "1" "" "systemd 257.5" "systemd-sbsign" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" systemd-sbsign \- Sign PE binaries for EFI Secure Boot .SH "SYNOPSIS" .HP \w'\fBsystemd\-sbsign\fR\ 'u \fBsystemd\-sbsign\fR [OPTIONS...] {COMMAND} .SH "DESCRIPTION" .PP \fBsystemd\-sbsign\fR can be used to sign PE binaries for EFI Secure Boot\&. .SH "COMMANDS" .PP \fBsign\fR .RS 4 Signs the given PE binary for EFI Secure Boot\&. Takes a path to a PE binary as its argument\&. If the PE binary already has a certificate table, the new signature will be added to it\&. Otherwise a new certificate table will be created\&. The signed PE binary will be written to the path specified with \fB\-\-output=\fR\&. .sp Added in version 257\&. .RE .SH "OPTIONS" .PP The following options are understood: .PP \fB\-\-output=\fR\fB\fIPATH\fR\fR .RS 4 Specifies the path where to write the signed PE binary\&. .sp Added in version 257\&. .RE .PP \fB\-\-private\-key=\fR\fB\fIPATH/URI\fR\fR, \fB\-\-private\-key\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR, \fB\-\-certificate=\fR\fB\fIPATH\fR\fR, \fB\-\-certificate\-source=\fR\fB\fITYPE\fR\fR\fB[:\fR\fB\fINAME\fR\fR\fB]\fR .RS 4 Set the Secure Boot private key and certificate for use with the \fBsign\fR\&. The \fB\-\-certificate=\fR option takes a path to a PEM encoded X\&.509 certificate or a URI that\*(Aqs passed to the OpenSSL provider configured with \fB\-\-certificate\-source\fR\&. The \fB\-\-certificate\-source\fR takes one of "file" or "provider", with the latter being followed by a specific provider identifier, separated with a colon, e\&.g\&. "provider:pkcs11"\&. The \fB\-\-private\-key=\fR option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by \fB\-\-private\-key\-source=\fR as a "type:name" tuple, such as "engine:pkcs11"\&. The specified OpenSSL signing engine or provider will be used to sign the PE binary\&. .sp Added in version 257\&. .RE .PP \fB\-h\fR, \fB\-\-help\fR .RS 4 Print a short help text and exit\&. .RE .PP \fB\-\-version\fR .RS 4 Print a short version string and exit\&. .RE .SH "SEE ALSO" .PP \fBbootctl\fR(1)