man7.org > Linux > man-pages

Linux/UNIX system programming training

systemd-sbsign(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | COMMANDS | OPTIONS | EXAMPLES | SEE ALSO | COLOPHON 

SYSTEMD-SBSIGN(1)             systemd-sbsign            SYSTEMD-SBSIGN(1)

NAME         top

       systemd-sbsign - Sign PE binaries for EFI Secure Boot

SYNOPSIS         top


       systemd-sbsign [OPTIONS...] {COMMAND}

DESCRIPTION         top

       systemd-sbsign can be used to sign PE binaries for EFI Secure
       Boot.

COMMANDS         top

       sign
           Signs the given PE binary for EFI Secure Boot. Takes a path to
           a PE binary as its argument. If the PE binary already has a
           certificate table, the new signature will be added to it.
           Otherwise, a new certificate table will be created. The signed
           PE binary will be written to the path specified with
           --output=.

           Added in version 257.

OPTIONS         top

       The following options are understood:

       --output=PATH
           Specifies the path where to write the signed PE binary or the
           data to be signed offline when using the
           --prepare-offline-signing option.

           Added in version 257.

       --private-key=PATH/URI, --private-key-source=TYPE[:NAME],
       --certificate=PATH, --certificate-source=TYPE[:NAME]
           Set the Secure Boot private key and certificate for use with
           the sign verb. The --certificate= option takes a path to a
           PEM-encoded X.509 certificate or a URI that's passed to the
           OpenSSL provider configured with --certificate-source. The
           --certificate-source option takes one of "file" or "provider",
           with the latter being followed by a specific provider
           identifier, separated with a colon, e.g.  "provider:pkcs11".
           The --private-key= option takes a path or a URI that will be
           passed to the OpenSSL engine or provider, as specified by
           --private-key-source= as a "type:name" tuple, such as
           "engine:pkcs11". The specified OpenSSL signing engine or
           provider will be used to sign the PE binary.

           Added in version 257.

       --prepare-offline-signing
           When this option is specified, the sign command writes the
           data that should be signed to the path specified with
           --output= instead of writing the signed PE binary. This data
           can then be signed out of band after which the signature can
           be attached to the PE binary using the --signed-data= and
           --signed-data-signature= options.

           Added in version 258.

       --signed-data=PATH, --signed-data-signature=PATH
           Configure the signed data (as written to the path specified
           with --output= when using the --prepare-offline-signing
           option) and corresponding signature for the sign command.

           Added in version 258.

       -h, --help
           Print a short help text and exit.

       --version
           Print a short version string and exit.

EXAMPLES         top

       Example 1. Offline EFI secure boot signing of a PE binary

       The following does offline secure boot signing of systemd-boot:

           SD_BOOT="$(find /usr/lib/systemd/boot/efi/ -name "systemd-boot*.efi" | head -n1)"
           # Extract the data that should be signed offline.
           /usr/lib/systemd/systemd-sbsign \
               sign \
               --certificate=secure-boot-certificate.pem \
               --output=signed-data.bin \
               --prepare-offline-signing \
               "$SD_BOOT"
           # Sign the data out-of-band. This step usually happens out-of-band on a separate system.
           openssl dgst -sha256 -sign secure-boot-private-key.pem -out signed-data.sig signed-data.bin
           # Attach the signed data and its signature to the systemd-boot PE binary.
           /usr/lib/systemd/systemd-sbsign \
               sign \
               --certificate=secure-boot-certificate.pem \
               --output="$SD_BOOT.signed" \
               --signed-data=signed-data.bin \
               --signed-data-signature=signed-data.sig \
               "$SD_BOOT"

SEE ALSO         top

       bootctl(1)

COLOPHON         top

       This page is part of the systemd (systemd system and service
       manager) project.  Information about the project can be found at
       ⟨http://www.freedesktop.org/wiki/Software/systemd⟩.  If you have a
       bug report for this manual page, see
       ⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩.
       This page was obtained from the project's upstream Git repository
       ⟨https://github.com/systemd/systemd.git⟩ on 2025-08-11.  (At that
       time, the date of the most recent commit that was found in the
       repository was 2025-08-11.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

systemd 258~rc2                                         SYSTEMD-SBSIGN(1)

Pages that refer to this page: systemd-keyutil(1)systemd.directives(7)systemd.index(7)

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI