pesign-用于签署UEFI应用程序的命令行工具

最新推荐文章于 2024-09-11 08:39:56 发布

ctrigger

最新推荐文章于 2024-09-11 08:39:56 发布

阅读量1k

点赞数

本文链接：https://blog.csdn.net/ctrigger/article/details/105847237

版权

DESCRIPTION

       pesign  is  a  command  line tool for manipulating signatures and cryptographic digests of
       UEFI applications.

SYNOPSIS

       pesign [--in=infile | -i infile]
              [--out=outfile | -o outfile]
              [--certdir=certdir/fR | -n certdir]
              [--nss-token=token | -t token]
              [--certificate=nickname | -c nickname]
              [--force | -f] [--sign | -s] [--hash | -h]
              [--digest_type=digest | -d digest]
              [--show-signature | -S ] [--remove-signature | -r ]
              [--export-pubkey=outkey | -K outkey]
              [--export-cert=outcert | -C outcert]
              [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
              [--signature-number=signum | -u signum]

OPTIONS

--in=infile
Specify input binary.

--out=outfile
Specify output binary.

--certdir=certdir
Specify nss certificate database directory.

--nss-token=token
Use the specified NSS token's certificate database.

--certificate=nickname
Use the certificate database entry with the specified nickname for signing.

--force
Overwrite output files. Without this parameter, pesign will refuse to overrite any
output files which already exist.

--sign Sign the input binary with the key specified by --certificate.

--hash Display the cryptographic digest of the input binary on standard output.

--digest_type=digest
Use the specified digest in hashing and signing operations. By default, this value
is "sha256". Use "--digest_type=help" to list the available digests.

--show-signature
Show information about the signature of the input binary.

--remove-signature
Remove the signature section from the binary.

--signature-number=signum
Specify which signature to operate on. This field is zero-indexed.

--export-pubkey=outkey
Export the public key specified by --certificate to outkey

--export-cert=outcert
Export the certificate specified by --certificate to outcert

--ascii
Use ascii armoring on exported certificates.

--daemonize
Spawn a daemon for use with pesign-client(1)

--nofork
Do not fork when using --daemonize.

EXAMPLES

       If you have a certificate file and private key file, the following steps may  be  used  to
       sign a PE image:

           # Create a pkcs12 file from private key and
           # certificate file.
           host:~$ openssl pkcs12 -export -out foo_key.p12 \
                           -inkey signing_key.pem \
                           -in xyz_cert.x509.pem

           # Import pkcs12 file into pesign db
           host:~$ pk12util -i foo_key.p12 -d /etc/pki/pesign

           # Do the signing
           host:~$ pesign -i <input-file> -o <output-file> \
                          -c <cert nickname>  -s

       Please  note that this is just an example, and that recommended best practice is to always
       store private keys in a FIPS 140-2 hardware security module, level 2 or higher.

来源：http://manpages.ubuntu.com/manpages/bionic/man1/pesign.1.html