SYNOPSIS
pesign [--in=infile | -i infile][--out=outfile | -o outfile]
[--export=exportfile | -e exportfile]
[--token=token | -t token]
[--certificate=nickname | -c nickname]
[--unlock | -u] [--kill | -k] [--sign | -s] [ --is-unlocked | -q ]
[--pinfd=pinfd | -f pinfd]
[--pinfile=pinfile | -F pinfile]
DESCRIPTION
pesign is a command line tool for manipulating signatures and cryptographic digests of UEFI applications.
OPTIONS
- --unlock
-
Unlock the specified token. A PIN - specified by one of --pinfd,
--pinfile, or the environmental variable PESIGN_TOKEN_PIN -
is required for this operation to succeed. The PIN may be empty, if that
is what is required for the token specified with --token.
--is-unlocked Query a token specified with --token for lock status.
- --pinfd=pinfd
-
When using --unlock, read the token's PIN from the open file descriptor
pinfd.
- --pinfile=pinfile
-
When using --unlock, read the token's PIN from the file pinfile.
- --sign
-
Sign the binary specified by infile. - --export
-
When used with --sign, write the signature to outfile.
- --infile=infile
-
When used with --sign, specify the input binary.
- --outfile=outfile
-
When used with --sign, specify output file. If --detached
is specified, this will be a DER-formatted signature. Otherwise, the
output will be the signed PE binary.
- --token=token
-
When used with --unlock or --sign, use the specified NSS
token's certificate database.
- --certificate=nickname
-
When used with --sign, use the certificate database entry with the
specified nickname for signing.
- --kill
-
Terminate the signing server.
AUTHORS
Peter Jones