Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise a new certificate table will be created. The signed PE binary will be written to the path specified with --output=.

Added in version 257.

Checks that we can load the private key specified with --private-key=.

As a side effect, if the private key is loaded from a PIN-protected hardware token, this command can be used to cache the PIN in the kernel keyring. The $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC and $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE environment variables can be used to control how long and in which kernel keyring the PIN is cached.

Added in version 257.

Specifies the path where to write the signed PE binary.

Added in version 257.

Set the Secure Boot private key and certificate for use with the sign. The --certificate= option takes a path to a PEM encoded X.509 certificate. The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary.

Added in version 257.

Do not pipe output into a pager.

Print a short help text and exit.

Print a short version string and exit.