Signs the given PE binary for EFI Secure Boot. Takes a path to a PE binary as its argument. If the PE binary already has a certificate table, the new signature will be added to it. Otherwise a new certificate table will be created. The signed PE binary will be written to the path specified with --output=.

Added in version 257.

Specifies the path where to write the signed PE binary.

Added in version 257.

Set the Secure Boot private key and certificate for use with the sign. The --certificate= option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider configured with --certificate-source. The --certificate-source takes one of "file" or "provider", with the latter being followed by a specific provider identifier, separated with a colon, e.g. "provider:pkcs11". The --private-key= option can take a path or a URI that will be passed to the OpenSSL engine or provider, as specified by --private-key-source= as a "type:name" tuple, such as "engine:pkcs11". The specified OpenSSL signing engine or provider will be used to sign the PE binary.

Added in version 257.

Print a short help text and exit.

Print a short version string and exit.