Sign EFI application with soft key #
Note: if you create
UKIs with
stmgr, consider signing
directly by adding the -signkey and -signcert options.
Preliminaries #
Generate soft Secure Boot keys.
Install sbsign.
sudo apt install sbsigntool
Locate an EFI application to sign. This guide assumes the file is named
stboot.uki.
Sign with db key #
sbsign --key db.priv --cert db.crt stboot.uki
Debrief #
You signed the input EFI application with your db key.
sbverify --list stboot.uki.signed
The embedded signature should validate against db.crt.
sbverify --cert db.crt stboot.uki.signed