1SIG-LIST-TO-CERTS(1)             User Commands            SIG-LIST-TO-CERTS(1)
2
3
4

NAME

6       sig-list-to-certs  -  tool  for  converting EFI signature lists back to
7       openssl certificates
8

SYNOPSIS

10       sig-list-to-certs <efi sig list file> <cert file base name>
11

DESCRIPTION

13       Takes <efi sig list file> and converts  it  to  a  set  of  DER  format
14       openssl certificates in <cert file base name>.n (where n runs from 0 to
15       the number of certificates in the file)
16

EXAMPLES

18       To see what certificates your UEFI system currently has,  you  can  run
19       the dmpstore command to print them to a file
20
21       dmpstore PK > PK.uc16
22
23       This file isn't readily readable on a standard unix system because it's
24       in UC-16 format, so convert it to ordinary text
25
26       iconv -f utf-16 PK.uc16 > PK.txt
27
28       Now remove the header which says something like
29
30        Dump Variable pk
31        Variable NV+RT+BS 'Efi:PK' DataSize = 2DA
32
33       Leaving only the hex dump.  This can then be converted to an EFI signa‐
34       ture list by xxd
35
36       xxd -r PK.txt > PK.esl
37
38       and you can now extract openssl readable certificates from this
39
40       sig-list-to-certs PK.esl PK
41
42       Which will print some information like
43
44        X509 Header sls=730, header=0, sig=686
45        file PK.0: Guid 77fa9abd-0359-4d32-4d60-28f4e78f784b
46        Written 686 bytes
47
48       And finally, you can see the certificate in text format
49
50       openssl x509 -text -inform DER -in PK.0
51
52       Assuming it's an X509 certificate
53
54
55
56Usage: ./sig-list-to-certs <efi sigMalricsht2f0i2l1e> <cert file bSaIsGe-LnIaSmTe->TO-CERTS(1)