1PESIGN(1)                   General Commands Manual                  PESIGN(1)
2
3
4

NAME

6       pesign - command line tool for signing UEFI applications
7
8

SYNOPSIS

10       pesign [--in=infile | -i infile]
11              [--out=outfile | -o outfile]
12              [--certdir=certdir/fR | -n certdir]
13              [--nss-token=token | -t token]
14              [--certificate=nickname | -c nickname]
15              [--force | -f] [--sign | -s] [--hash | -h]
16              [--digest_type=digest | -d digest]
17              [--show-signature | -S ] [--remove-signature | -r ]
18              [--export-pubkey=outkey | -K outkey]
19              [--export-cert=outcert | -C outcert]
20              [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
21              [--signature-number=signum | -u signum]
22
23

DESCRIPTION

25       pesign  is  a command line tool for manipulating signatures and crypto‐
26       graphic digests of UEFI applications.
27
28

OPTIONS

30       --in=infile
31              Specify input binary.
32
33
34       --out=outfile
35              Specify output binary.
36
37
38       --certdir=certdir
39              Specify nss certificate database directory.
40
41
42       --nss-token=token
43              Use the specified NSS token's certificate database.
44
45
46       --certificate=nickname
47              Use the certificate database entry with the  specified  nickname
48              for signing.
49
50
51       --force
52              Overwrite  output  files.  Without  this  parameter, pesign will
53              refuse to overrite any output files which already exist.
54
55
56       --sign Sign the input binary with the key specified by --certificate.
57
58
59       --hash Display the cryptographic digest of the input binary on standard
60              output.
61
62
63       --digest_type=digest
64              Use  the  specified digest in hashing and signing operations. By
65              default, this value is "sha256".   Use  "--digest_type=help"  to
66              list the available digests.
67
68
69       --show-signature
70              Show information about the signature of the input binary.
71
72
73       --remove-signature
74              Remove the signature section from the binary.
75
76
77       --signature-number=signum
78              Specify  which  signature  to  operate  on.  This field is zero-
79              indexed.
80
81
82       --export-pubkey=outkey
83              Export the public key specified by --certificate to outkey
84
85
86       --export-cert=outcert
87              Export the certificate specified by --certificate to outcert
88
89
90       --ascii-armor
91              Use ascii armoring on exported certificates.
92
93
94       --daemonize
95              Spawn a daemon for use with pesign-client(1)
96
97
98       --nofork
99              Do not fork when using --daemonize.
100
101

EXAMPLES

103       If you have a certificate file and  private  key  file,  the  following
104       steps may be used to sign a PE image:
105
106           # Create a pkcs12 file from private key and
107           # certificate file.
108           host:~$ openssl pkcs12 -export -out foo_key.p12 \
109                           -inkey signing_key.pem \
110                           -in xyz_cert.x509.pem
111
112           # Import pkcs12 file into pesign db
113           host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
114
115           # Do the signing
116           host:~$ pesign -i <input-file> -o <output-file> \
117                          -c <cert nickname>  -s
118
119       Please  note  that  this  is just an example, and that recommended best
120       practice is to always store private keys in a FIPS 140-2 hardware secu‐
121       rity module, level 2 or higher.
122

SEE ALSO

124       pesign-client(1)
125
126       FIPS 140-2 http://csrc.nist.gov/publications/PubsFIPS.html
127
128

AUTHORS

130       Peter Jones
131
132
133
134                                Thu Jun 21 2012                      PESIGN(1)
Impressum