{"id":32514423,"url":"https://github.com/jbock-java/sign-efi-siglist","last_synced_at":"2025-10-27T23:45:34.581Z","repository":{"id":284325381,"uuid":"954562261","full_name":"jbock-java/sign-efi-siglist","owner":"jbock-java","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-06T08:54:45.000Z","size":436,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-06T09:41:43.321Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jbock-java.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-03-25T09:18:47.000Z","updated_at":"2025-10-06T08:54:49.000Z","dependencies_parsed_at":"2025-05-07T14:57:54.841Z","dependency_job_id":"e98f1b4e-8867-4f23-ba32-cc5576978a89","html_url":"https://github.com/jbock-java/sign-efi-siglist","commit_stats":null,"previous_names":["jbock-java/efitools","jbock-java/mkefivardata","jbock-java/sign-esl"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jbock-java/sign-efi-siglist","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fsign-efi-siglist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fsign-efi-siglist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fsign-efi-siglist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fsign-efi-siglist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jbock-java","download_url":"https://codeload.github.com/jbock-java/sign-efi-siglist/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jbock-java%2Fsign-efi-siglist/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281361350,"owners_count":26487881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-27T02:00:05.855Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-27T23:45:30.707Z","updated_at":"2025-10-27T23:45:34.573Z","avatar_url":"https://github.com/jbock-java.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sign-efi-siglist\n\n```\nThis tool is derived from efitools' \"sign-efi-sig-list\".\nThe name was changed to avoid confusion, because the output format is different:\n\"sign-efi-sig-list\" creates output in \"auth\" format,\nwhich is suitable for UEFI's standard \"SetVariable\" call.\nBy contrast, \"sign-efi-siglist\" outputs the native format of the Linux\n\"efivarfs\" filesystem (with four extra bytes of \"attributes\").\nOn a Linux system, this can be more convenient, because such a \"vardata\" file\ncan be copied directly to the efivarfs filesystem.\nThis means that secureboot keys can be enrolled\nwithout an additional tool like \"efi-updatevar\".\n```\n\n[efitools upstream](https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git)\n\n[docs: UEFI Services - Runtime Services](https://uefi.org/specs/UEFI/2.11/08_Services_Runtime_Services.html)\n\n[docs: UEFI Secure Boot and Driver Signing](https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html)\n\n[docs: kernel efivarfs](https://www.kernel.org/doc/html/latest/filesystems/efivarfs.html)\n\n### Install dependencies\n\n```sh\n# Ubuntu / Debian\nsudo apt-get install gnu-efi\n# Fedora\nsudo dnf install gnu-efi-devel\n```\n\n### Installation\n\n```sh\nsudo make install\n```\n\n### Create and enroll your keys\n\nKeys and certificates can be created with the `openssl x509` command; see [Controlling Secure Boot](https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html).\nLet's assume you have created three pairs consisting of 6 files:\n\n```\nPK.key PK.crt\nKEK.key KEK.crt\nmyOrg.key myOrg.crt\n```\n\nWe could have called the last pair `db.key` and `db.crt`. But let's assume for now that we also want to enroll the \"fedora secure boot signing certificate\" along with `myOrg.crt`.\n\nThe fedora certificate comes in the form of an additional file `fedora.crt`. Note that we do not have the corresponding private key.\n\nChoose a guid and convert all your `crt` files to \"efi-siglist\" format:\n\n```sh\nguid=4212023e-a290-11f0-bd3b-e446b04ad651\nfor name in PK KEK myOrg fedora; do\n    cert-to-efi-sig-list -g $guid $name.crt $name.esl\ndone\n```\n\nThe `esl` files can be concatenated. Combine `myOrg.esl` and `fedora.esl` to create `db.esl`:\n\n```sh\ncat myOrg.esl fedora.esl \u003e db.esl\n```\n\nNow sign your `esl` files, thus creating three files `PK.vardata`, `KEK.vardata` and `db.vardata`:\n\n```sh\ntimestamp=\"2025-10-06 12:00:01\"\n# PK signs PK\nsign-efi-siglist -g $guid -t \"$timestamp\" -k PK.key -c PK.crt PK PK.esl PK.vardata\n# PK signs KEK\nsign-efi-siglist -g $guid -t \"$timestamp\" -k PK.key -c PK.crt KEK KEK.esl KEK.vardata\n# KEK signs db\nsign-efi-siglist -g $guid -t \"$timestamp\" -k KEK.key -c KEK.crt db db.esl db.vardata\n```\n\nThe `vardata` files do not contain private key data, so they can be shared.\nBoot the target system in \"Secure Boot Setup Mode\" and enroll your keys:\n\n```sh\nchattr -i /sys/firmware/efi/efivars/*\ncp db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f\ncp KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c\ncp PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbock-java%2Fsign-efi-siglist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjbock-java%2Fsign-efi-siglist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjbock-java%2Fsign-efi-siglist/lists"}