SYSTEMD-SBSIGN(1) systemd-sbsign SYSTEMD-SBSIGN(1) NAME systemd-sbsign - Sign PE binaries for EFI Secure Boot SYNOPSIS systemd-sbsign [OPTIONS...] {COMMAND} DESCRIPTION systemd-sbsign can be used to sign PE binaries for EFI Secure Boot. COMMANDS sign Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise a new certificate table will be created. The signed PE binary will be written to the path specified with --output=. Added in version 257. OPTIONS The following options are understood: --output=PATH Specifies the path where to write the signed PE binary. Added in version 257. --private-key=PATH/URI, --private-key-source=TYPE[:NAME], --certificate=PATH, --certificate-source=TYPE[:NAME] Set the Secure Boot private key and certificate for use with the sign. The --certificate= option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider configured with --certificate-source. The --certificate-source takes one of "file" or "provider", with the latter being followed by a specific provider identifier, separated with a colon, e.g. "provider:pkcs11". The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary. Added in version 257. -h, --help Print a short help text and exit. --version Print a short version string and exit. SEE ALSO bootctl(1) systemd 257.5 SYSTEMD-SBSIGN(1)