From ArchWiki

The Red Hat Boot project pesign is a toolset for working with signed PE-COFF binaries.


Install the pesign package. For all actions the pesign user is used.


Pesign does not come with a preconfigured NSS database.

To create one run the following command as the pesign user (e.g. using sudo or su):

 [pesign]$ certutil -N -d sql:/etc/pki/pesign --empty-password


Enable and start pesign.service. This will start a daemon based on pesign(1) that can be interfaced using pesign-client(1).

Tips and tricks

Create a Certificate Authority for kernel signing

Create a basic self-signed Certificate Authority keypair using efikeygen(1) as the pesign user (and add it to the database):

 [pesign]$ efikeygen -k -C -S -c <common name in rfc2253 syntax> -n nickname

List all certificates

Certificates are stored in the NSS database below /etc/pki/pesign/. List all certificates using certutil as the pesign user:

 [pesign]$ certutil -L -d sql:/etc/pki/pesign/

Sign a binary

If pesign's NSS database is configured correctly, it is possible to use pesign-client(1) as the pesign user to sign a binary:

 [pesign]$ pesign-client -s -i input_file -o output_file -c certificate-nickname

See also