NAME

       virt-fw-sigdb - manual page for virt-fw-sigdb 25.4

DESCRIPTION

       The  virt-fw-sigdb utility can create, modify and print EFI signature databases.  This is the format used
       by UEFI firmware to store lists of certificates and authenticode hashes for  binaries  in  EFI  variables
       like 'PK', 'KEK', 'db' and 'dbx'.

       Usually  signature  databases  are embedded in EFI variable stores, so for most use cases you'll probably
       should check out the virt-fw-vars(1) utility instead of this.

       The exception to this rule is the list of root CA certificates for TLS connections which  can  be  passed
       from the host via qemu to OVMF using the etc/edk2/https/cacerts fw_cfg file.

       usage: virt-fw-sigdb [-h] [-i FILE] [-o FILE] [--add-cert GUID FILE]

              [--add-hash GUID HASH] [-p]

   options:
       -h, --help
              show this help message and exit

       -i, --input FILE
              read efi sigdb FILE

       -o, --output FILE
              write efi sigdb FILE.

       --add-cert GUID FILE
              add  x509  cert  to  sigdb,  loaded  in pem format from FILE and with owner GUID, can be specified
              multiple times

       --add-hash GUID HASH
              add sha256 hash to sigdb, with owner GUID, can be specified multiple times

       -p, --print
              print sigdb

EXAMPLES

       Print system root CA database
              virt-fw-sigdb --print \
                  --input /etc/pki/ca-trust/extracted/edk2/cacerts.bin

AUTHOR

       Gerd Hoffmann <kraxel@redhat.com>

virt-fw-sigdb 25.4                                 April 2025                                   VIRT-FW-SIGDB(1)