User:Davezerave/Pesign
The Red Hat Boot project pesign is a toolset for working with signed PE-COFF binaries.
Installation
Install the pesign package.
For all actions the pesign
user is used.
Configuration
Pesign does not come with a preconfigured NSS database.
To create one run the following command as the pesign
user (e.g. using sudo or su):
[pesign]$ certutil -N -d sql:/etc/pki/pesign --empty-password
Running
Enable and start pesign.service
. This will start a daemon based on pesign(1) that can be interfaced using pesign-client(1).
Tips and tricks
Create a Certificate Authority for kernel signing
Create a basic self-signed Certificate Authority keypair using efikeygen(1) as the pesign
user (and add it to the database):
[pesign]$ efikeygen -k -C -S -c <common name in rfc2253 syntax> -n nickname
List all certificates
Certificates are stored in the NSS database below /etc/pki/pesign/
.
List all certificates using certutil
as the pesign
user:
[pesign]$ certutil -L -d sql:/etc/pki/pesign/
Sign a binary
If pesign's NSS database is configured correctly, it is possible to use pesign-client(1) as the pesign
user to sign a binary:
[pesign]$ pesign-client -s -i input_file -o output_file -c certificate-nickname
See also
- pesign on Github - the upstream git repository
- Red Hat Boot on Github - the Github organization powered by Red Hat working on boot related topics