systemd systemd-sbsign 1 systemd-sbsign Sign PE binaries for EFI Secure Boot systemd-sbsign OPTIONS COMMAND systemd-sbsign can be used to sign PE binaries for EFI Secure Boot. sign Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise a new certificate table will be created. The signed PE binary will be written to the path specified with --output=. The following options are understood: --output=PATH Specifies the path where to write the signed PE binary. --private-key=PATH/URI --private-key-source=TYPE[:NAME] --certificate=PATH --certificate-source=TYPE[:NAME] Set the Secure Boot private key and certificate for use with the sign. The --certificate= option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider configured with --certificate-source. The --certificate-source takes one of file or provider, with the latter being followed by a specific provider identifier, separated with a colon, e.g. provider:pkcs11. The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a type:name tuple, such as engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign the PE binary. bootctl1