The Red Hat Boot project PE-COFF binaries.is a toolset for working with signed
Install the package.
For all actions the
pesign user is used.
Pesign does not come with a preconfigured NSS database.
[pesign]$ certutil -N -d sql:/etc/pki/pesign --empty-password
Tips and tricks
Create a Certificate Authority for kernel signing
Create a basic self-signed Certificate Authority keypair using as the
pesign user (and add it to the database):
[pesign]$ efikeygen -k -C -S -c <common name in rfc2253 syntax> -n nickname
List all certificates
Certificates are stored in the NSS database below
List all certificates using
certutil as the
[pesign]$ certutil -L -d sql:/etc/pki/pesign/
Sign a binary
If pesign's NSS database is configured correctly, it is possible to use
pesign user to sign a binary:
[pesign]$ pesign-client -s -i input_file -o output_file -c certificate-nickname