systemd-sbsign - Sign PE binaries for EFI Secure Boot

sign
           Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE
           binary already has a certificate table, the new signature will be added to it. Otherwise a new
           certificate table will be created. The signed PE binary will be written to the path specified with
           --output=.

           Added in version 257.

systemd-sbsign can be used to sign PE binaries for EFI Secure Boot.

       systemd-sbsign - Sign PE binaries for EFI Secure Boot

       The following options are understood:

       --output=PATH
           Specifies the path where to write the signed PE binary.

           Added in version 257.

       --private-key=PATH/URI, --private-key-source=TYPE[:NAME], --certificate=PATH,
       --certificate-source=TYPE[:NAME]
           Set the Secure Boot private key and certificate for use with the sign. The --certificate= option
           takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider
           configured with --certificate-source. The --certificate-source takes one of "file" or "provider",
           with the latter being followed by a specific provider identifier, separated with a colon, e.g.
           "provider:pkcs11". The --private-key= option can take a path or a URI that will be passed to the
           OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as
           "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary.

           Added in version 257.

       -h, --help
           Print a short help text and exit.

       --version
           Print a short version string and exit.

bootctl(1)

systemd 257.4                                                                                  SYSTEMD-SBSIGN(1)

systemd-sbsign [OPTIONS...] {COMMAND}