Use the sign-file command to add a code signature to Linux boot files.
Before you begin
Depending on your Linux distribution, the
sign-file command might be packaged as part of the
kernel-devel package. If the command is not available, you must compile it from
source code.
For source-code download and compilation of the sign-file
command, the following packages are required:
About this task
If a new signature is added to an already signed file, only the new signature is used for
signature validation, but the old signature data remains between the original file data and the new
signature.
Old signature data does not typically cause a problem during boot, but the growing file size
might lead to an overlap at boot time, causing boot failures.
Procedure
-
If your distribution does not contain the sign-file command, download the
source code and compile the command.
To obtain the latest
sign-file source code from the upstream Linux kernel
source repository, issue the following
command:
# curl -O https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/sign-file.c
- To compile the command, issue:
# gcc sign-file.c -o sign-file -lcrypto
- Sign a boot file with the sign-file command.
Issue a
command of the following form:
# sign-file sha256 <private_key_file.pem> <public_key_cert.pem> <file>
where:
- <private_key_file.pem> is the file containing your private key.
- <public_key_cert.pem> is the file containing your public key.
- <file> is the boot or module file you want to sign.
For example,
issue:
# sign-file sha256 private-key.pem cert.pem /lib/s390-tools/stage3.bin
In the example, the command signs a boot file using a private-key file
private-key.pem and a public-key certificate
cert.pem.
Results
The resulting data consists of a DER-encoded PKCS#7 signature and additional Linux-specific
information. This data is appended to the end of the original file as a signature trailer,
increasing the original file size.