1PESIGN(1)                 BSD General Commands Manual                PESIGN(1)
2

NAME

4     pesign — tool for signing UEFI applications
5

SYNOPSIS

7     pesign -i file [-o file] [-f] [-n directory] [-t token] [-c nickname]
8            [-u number] [-m file] [-e file] [-I file] [-E file] [-R file]
9            [-K file] [-C file] [-a] [-l] [-S] [-v]  ⟨-s | -D [-N] | -r | -h
10            [-d digest] [-P | -p]⟩
11

DESCRIPTION

13     pesign is a command line tool for manipulating signatures and crypto‐
14     graphic digests of UEFI applications.
15

OPTIONS

17     -i file | --in file
18             Input PE file for signing
19
20     -o file | --out file
21             Output PE file for signing
22
23     -f | --force
24             Overwrite existing file specified with --out
25
26     -n directory | --certdir directory
27             Use the NSS Database in directory (default: /etc/pki/pesign)
28
29     -t token | --token token
30             Use the NSS token named token
31
32     -c nickname | --certificate nickname
33             Use the certificate called nickname in the NSS Database
34
35     -u number | --signature-number number
36             Signature number, indexed from 0, for use with
37             --remove-signature, --export-signature, or --show-signature
38             (default: 0)
39
40     -m file | --import-signature file
41             Import Authenticode signature from file
42
43     -e file | --export-signature file
44             Export Authenticode signature to file
45
46     -I file | --import-signed-attributes file
47             Import PKCS-7 SignedAttributes (with no signature) from file
48
49     -E file | --export-signed-attributes file
50             Export PKCS-7 SignedAttributes (with no signature) to file
51
52     -R file | --import-raw-signature file
53             Import signature digest from file
54
55     -K file | --export-pubkey file
56             Export public key from the NSS Database specified by --token and
57             --certificate to file
58
59     -C file | --export-cert file
60             Export certificate from the NSS Database specified by --token and
61             --certificate to file
62
63     -a | --ascii-armor
64             When exporting certificates, encode them in ascii-armor
65
66     -l | --list-signatures
67             List signatures
68
69     -S | --show-signature
70             Show information about signatures
71
72     -v | --verbose
73             Be more verbose
74
75     -s | --sign
76             Create a new signature
77
78     -D | --daemonize
79             Run as a daemon
80
81     -N | --nofork
82             Do not fork when daemonizing (daemon runs in foreground)
83
84     -r | --remove-signature
85             Remove signature
86
87     -h | --hash
88             Display the Authenticode hash of the binary
89
90     -d digest | --digest-type digest
91             Use the cryptorgaphic digest with --hash (use help to list
92             options) (default: sha256)
93
94     -P | --padding | -p | --nopadding
95             Do or do not pad the binary according to PE 9.3 rules before
96             signing or hashing (default: --padding)
97
98             Padding is recommended (and in many circumstances required) even
99             for binaries which predate the current PE spec, and is enabled by
100             default as of pesign 113.
101

EXAMPLES

103   Signing with the certificate and private key in individual files
104     If you have a certificate file and private key file, the following steps
105     may be used to sign a PE image:
106
107     # Create a pkcs12 file from private key and certificate file.
108     host:~$ openssl pkcs12 -export -out foo_key.p12 \
109             -inkey signing_key.pem -in xyz_cert.x509.pem
110
111     # Import pkcs12 file into pesign db
112     host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign
113
114     # Do the signing
115     host:~$ pesign -c my-signing-cert -s \
116             -i foo.unsigned.efi -o foo.signed.efi
117
118     Please note that this is just an example, and that recommended best prac‐
119     tice is to always store private keys in a FIPS 140-2 Hardware Security
120     Module (HSM), level 2 or higher.
121
122   Signing using an HSM
123     If you have a key pair in your HSM and your HSM vendor provides a PKCS-11
124     library, you can use it with NSS directly:
125
126     # Add the HSM PKCS-11 library to the NSS database
127     host:~$ modutil -dbdir /etc/pki/pesign -add vendor-engine \
128             -libfile /usr/lib64/pkcs11/vendor-engine.so
129     WARNING: Performing this operation while the browser is running
130     could cause corruption of your security databases. If the browser
131     is currently running, you should exit browser before continuing
132     this operation. Type
133     'q <enter>' to abort, or <enter> to continue: <type enter here>
134
135     Module "vendor-engine" added to database.
136
137     # List the added module
138     host:~$ modutil -dbdir /etc/pki/pesign -list
139     -----------------------------------------------------------
140       1. NSS Internal PKCS #11 Module
141                uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.52
142              slots: 2 slots attached
143             status: loaded
144
145              slot: NSS Internal Cryptographic Services
146             token: NSS Generic Crypto Services
147               uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
148
149              slot: NSS User Private Key and Certificate Services
150             token: NSS Certificate DB
151               uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
152
153       2. opensc-pkcs11.so
154             library name: /usr/lib64/pkcs11/opensc-pkcs11.so
155                uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.20
156              slots: 1 slot attached
157             status: loaded
158
159              slot: Generic Smart Card Reader Interface [Smart Card Reader Interf...
160             token: OpenSC Card (myorg-sb-signer)
161               uri: pkcs11:token=OpenSC%20Card%20(myorg-sb-signer);manufacturer=OpenSC%20Project;serial=56516a130f35;model=PKCS%2315
162     -----------------------------------------------------------
163
164     # List certs in tokens
165     host:~$ certutil -d /etc/pki/pesign \
166             -h "OpenSC Card (myorg-sb-signer)" -L
167     Certificate Nickname                             Trust Attributes
168                                                      SSL,S/MIME,JAR/XPI
169
170     Enter Password or Pin for "OpenSC Card (myorg-sb-signer)": <type the PIN here>
171     OpenSC Card (myorg-sb-signer):/CN=My Org's SB Signer    u,u,u
172
173     # Sign with private key in HSM
174     host:~$ pesign -t "OpenSC Card (myorg-sb-signer)" \
175             -c "OpenSC Card (myorg-sb-signer):/CN=My Org's SB Signer" \
176             -s -i foo.unsigned.efi -o foo.efi
177
178   Signing using an HSM with an OpenSSL Engine
179     If you have a key pair in your HSM but can't access it directly, but do
180     have access to the openssl command line tool configured with your ven‐
181     dor's libraries, you can still use pesign to sign your PE binaries:
182
183
184     # Import the public certificate into the NSS Database
185     host:~$ certutil -d /etc/pki/pesign -A -n myorg-sb-signer \
186             -t ,,u -i myorg-sb-signer.cer
187
188     # Export the PKCS-7 SignedAttributes section pesign generates
189     host:~$ pesign -i foo.unsigned.efi -E foo.sattrs.bin
190
191     # Generate a signature using OpenSSL
192     host:~$ openssl dgst -sha256 -sign $KEY \
193             --keyform ENGINE --engine $ENGINEID \
194             -out foo.sattrs.sig foo.sattrs.bin
195
196     # Import the signature with the original SignedAttributes into
197     # the PE binary
198     host:~$ pesign -c myorg-sb-signer \
199             -R foo.sattrs.sig -I foo.sattrs.bin \
200             -i foo.unsigned.efi -o foo.efi
201

STANDARDS

203     B. Kaliski, PKCS #7: Cryptographic Message Syntax v1.5, Internet
204     Engineering Task Force, RFC 2315, https://tools.ietf.org/html/rfc2315 ,
205     March 1998.
206
207     K. Moriarty, M. Nyström, S. Parkinson, A. Rusch, and M. Scott, PKCS #12:
208     Personal Information Exchange Syntax v1.1, Internet Engineering Task
209     Force, RFC 7292, https://tools.ietf.org/html/rfc7292 , July 2014.
210
211     PKCS11 Technical Committee, PKCS#11: Cryptographic Token Interface
212     Standard, OASIS, https://www.cryptsoft.com/pkcs11doc/.
213
214     M. Nyström, PKCS #15—A Cryptographic-Token Information Format Standard,
215     RSA Laboratories,
216     https://www.usenix.org/legacy/events/smartcard99/full_papers/nystrom/nystrom.pdf ,
217     1999.
218
219     Portable Executable, Microsoft, https://docs.microsoft.com/en-
220     us/windows/win32/debug/pe-format , August 26, 2019.
221
222     Windows Authenticode Portable Executable Signature Format, Microsoft,
223     https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-
224     d599bac8184a/Authenticode_PE.docx , March 21, 2008.
225
226     Federal Information Processing Standard 140-2, United States Department
227     of Commerce, FIPS 140-2,
228     http://csrc.nist.gov/publications/PubsFIPS.html , National Institute of
229     Standards and Technology.
230

SEE ALSO

232     certutil(1), efikeygen(1), modutil(1), opensc-tool(1), openssl(1ssl),
233     openssl-dgst(1ssl), pesign-client(1), pk12util(1), pkcs15-init(1),
234

AUTHORS

236     Peter Jones
237     Vikas Charak (examples)
238
239Linux                            Jun 4, 2020$                            Linux