systemd-sbsign - Man Page

systemd-sbsign [Options...] {COMMAND}

systemd-sbsign can be used to sign PE binaries for EFI Secure Boot.

sign

Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise a new certificate table will be created. The signed PE binary will be written to the path specified with --output=.

Added in version 257.

The following options are understood:

--output=PATH

Specifies the path where to write the signed PE binary.

Added in version 257.

--private-key=PATH/URI, --private-key-source=TYPE[:NAME], --certificate=PATH, --certificate-source=TYPE[:NAME]

Set the Secure Boot private key and certificate for use with the sign. The --certificate= option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider configured with --certificate-source. The --certificate-source takes one of "file" or "provider", with the latter being followed by a specific provider identifier, separated with a colon, e.g. "provider:pkcs11". The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary.

Added in version 257.

-h,  --help

Print a short help text and exit.

--version

Print a short version string and exit.

bootctl(1)

systemd.directives(7), systemd.index(7), systemd-keyutil(1).