{"id":31103702,"url":"https://github.com/oracle-samples/sign","last_synced_at":"2025-09-17T02:50:24.482Z","repository":{"id":266115613,"uuid":"880186001","full_name":"oracle-samples/sign","owner":"oracle-samples","description":null,"archived":false,"fork":false,"pushed_at":"2024-12-13T16:03:54.000Z","size":58,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-12-13T17:32:20.092Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oracle-samples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-29T09:24:05.000Z","updated_at":"2024-12-13T16:03:59.000Z","dependencies_parsed_at":"2024-12-02T17:41:51.784Z","dependency_job_id":null,"html_url":"https://github.com/oracle-samples/sign","commit_stats":null,"previous_names":["oracle-samples/sign"],"tags_count":0,"template":false,"template_full_name":"oracle/template-repo","purl":"pkg:github/oracle-samples/sign","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-samples%2Fsign","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-samples%2Fsign/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-samples%2Fsign/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-samples%2Fsign/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oracle-samples","download_url":"https://codeload.github.com/oracle-samples/sign/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oracle-samples%2Fsign/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275526385,"owners_count":25480460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-17T02:00:09.119Z","response_time":84,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-17T02:50:20.398Z","updated_at":"2025-09-17T02:50:24.475Z","avatar_url":"https://github.com/oracle-samples.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SIGN\n\n**sign - signing tool for developers**\n\n## Description\n\nGeneric signing tool for developers. This is **NOT for use in\nproduction**. All private keys are stored in the clear. This tool is\ngeared towards a developer that wants to quickly sign things.\n\n## The Problem\n\nThe process is rather lengthy for someone that just wants to quickly sign\nsomething. Therefore this tool can sign anything with only a couple of commands.\nYou can sign a kernel, module, ima-sign, or sign a boot loader with a DB key.\n\n## Getting started\n\nInitial setup:\n\n```\n$ sign init-setup\n```\n\nThis will create all the keys. Afterwards you must reboot and enroll them\nthrough the MOK.  Console access is required for this step.\n\n## Usage\n\nThen all that needs to be done to sign things is:\n\n```\n$ sign module \u003cmodule name\u003e\n$ sign kernel \u003ckernel name\u003e\n$ sign ima \u003canything\u003e\n$ sign bootloader \u003cefi program\u003e\n```\n\nThe keys for the ima and bootloader commands are generated, but not\nautomatically enrolled like the kernel and module keys. If you want to use\nIMA, the ima key must be added to your .ima keyring. If you use the bootloader\ncommand, the DB key must be added through the BIOS. It will also generate\ncustom KEK and PK keys. All public keys can be found in /etc/sign.\n\nIf you want to override the default key values look in (/etc/sign/sign.conf),\nand create a file called /etc/sign/local.conf and override anything you’d like.\n\n## Uninstall\n\nIf you want to uninstall or start over with new keys:\n\n```\n$ sign destroy-setup\n```\n\n## Commands\n\n##### backup\n\n    Backup both the public and private keys to move to a different machine.\n    Don't mix backup files between OL8 and OL9.\n\n##### bootloader \\\u003cefiprogram\\\u003e\n\n    PE sign a boot loader.\n\n##### destroy-setup\n\n    Unenroll all keys and remove them from the machine. Afterwards you must\n    reboot and unenroll them through the MokManager. When rebooting, shim\n    will load the MokManager and ask for a password. The password is the\n    same as root. Console access is required for this step.\n\n##### ima \\\u003cfilename\\\u003e\n\n    IMA sign a file\n\n##### init-setup\n\n    Create all the keys. Afterwards you must reboot and enroll them through\n    the MokManager. When rebooting, shim will load the MokManager and ask\n    for a password. The password is the same as root. Console access is\n    required for this step. If you are using UEK-NEXT kernels, the \\\"Oracle\n    Linux Test Certificate\\\" will also be enrolled with this step. Only call\n    this once. If you need to start over issue the destroy-setup command\n    first.\n\n##### kernel \\\u003ckernel name\\\u003e\n\n    PE sign a kernel\n\n##### module \\\u003cmodule name\\\u003e\n\n     Sign a module\n\n##### restore \\\u003cbackup-name\\\u003e\n\n    Restore a backup generated from a different machine. This can be used in\n    place of the init-setup command. Afterwards a reboot is required. Follow\n    the same steps as init-setup to enroll the keys within the MokManager.\n\n## Configuration\n\nThe default key values are located in /etc/sign/sign.conf. To override\nanything in this file, create a custom file called /etc/sign/local.conf\nwith the value to be overridden.\n\n## IMA keys\n\nThe sign program will enroll the IMA CA. The leaf cert must be loaded\ninto the .ima keyring. The leaf cert is available in\n/etc/sign/x509\\_ima.der. This could be added to the initram or loaded\nafter boot.\n\n## PK, KEK, and DB KEYS\n\nThe bootloader command signs the file with a DB key. This key must be\nadded through the UEFI. There is also a KEK and PK key that may be\nenrolled into the UEFI too. These keys are located in /etc/sign and are\ncalled db.der, kek.der, and pk.der.\n\n## Contributing\n\nThis project welcomes contributions from the community. Before submitting a\npull request, please [review our contribution guide](./CONTRIBUTING.md)\n\n## Security\n\nPlease consult the [security guide](./SECURITY.md) for our responsible\nsecurity vulnerability disclosure process\n\n## License\n\nCopyright (c) 2024 Oracle and/or its affiliates.\n\nThis software is available to you under\n\nSPDX-License-Identifier: GPL-2.0-or-later\n\nBeing under the terms of the GNU General Public License version 2 or later.\n\nSPDX-URL: https://spdx.org/licenses/GPL-2.0-or-later.html\n\nSee [the license file](./LICENSE.txt) for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foracle-samples%2Fsign","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foracle-samples%2Fsign","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foracle-samples%2Fsign/lists"}