PESIGN-CLIENT

NAME

pesign-client − command line tool for signing UEFI applications

SYNOPSIS

pesign [−−in=infile | −i infile]
[−−out=outfile | −o outfile]
[−−export=exportfile | −e exportfile]
[−−token=token | −t token]
[−−certificate=nickname | −c nickname]
[−−unlock | −u] [−−kill | −k] [−−sign | −s] [ −−is−unlocked | −q ]
[−−pinfd=pinfd | −f pinfd]
[−−pinfile=pinfile | −F pinfile]

DESCRIPTION

pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.

OPTIONS

-−unlock

Unlock the specified token. A PIN - specified by one of -−pinfd, -−pinfile, or the environmental variable PESIGN_TOKEN_PIN - is required for this operation to succeed. The PIN may be empty, if that is what is required for the token specified with -−token.

-−is−unlocked Query a token specified with -−token for lock status.

-−pinfd=pinfd

When using -−unlock, read the token’s PIN from the open file descriptor pinfd.

-−pinfile=pinfile

When using -−unlock, read the token’s PIN from the file pinfile.

-−export

When used with -−sign, write the signature to outfile.

-−infile=infile

When used with -−sign, specify the input binary.

-−outfile=outfile

When used with -−sign, specify output file. If -−detached is specified, this will be a DER-formatted signature. Otherwise, the output will be the signed PE binary.

-−token=token

When used with -−unlock or -−sign, use the specified NSS token’s certificate database.

-−certificate=nickname

When used with -−sign, use the certificate database entry with the specified nickname for signing.

SEE ALSO

pesign(1)

AUTHORS

Peter Jones