Search Criteria
Package Details: sbkeys 1.1.0-2
Package Actions
Git Clone URL: | https://aur.archlinux.org/sbkeys.git (read-only, click to copy) |
---|---|
Package Base: | sbkeys |
Description: | Simple script to generate Secure Boot keys |
Upstream URL: | https://github.com/electrickite/sbkeys |
Licenses: | GPL3 |
Submitter: | electrickite |
Maintainer: | electrickite |
Last Packager: | electrickite |
Votes: | 4 |
Popularity: | 0.000000 |
First Submitted: | 2017-03-13 02:03 (UTC) |
Last Updated: | 2021-11-09 02:11 (UTC) |
Dependencies (7)
- bash (bash-devel-static-gitAUR, bash-devel-gitAUR, busybox-coreutilsAUR, bash-gitAUR)
- coreutils (coreutils-gitAUR, busybox-coreutilsAUR, coreutils-hybrid-gitAUR, coreutils-selinuxAUR, coreutils-uutilsAUR, coreutils-hybridAUR)
- efitools (efitools-gitAUR)
- openssl (openssl-gitAUR, openssl-staticAUR)
- util-linux (busybox-coreutilsAUR, util-linux-selinuxAUR, util-linux-aesAUR)
- wget (wget-gitAUR, wurlAUR)
- sbsigntools (sbsigntools-gitAUR) (optional) – For Microsoft signature database entries
Latest Comments
electrickite commented on 2021-11-09 02:13 (UTC)
sbsigntools has been added as an optional dependency.
AlphaJack commented on 2021-11-08 22:08 (UTC)
@e3a4 same, it's needed if the
-m
option is specifiede3a4 commented on 2021-10-18 14:39 (UTC)
I think
sbsiglist
needs to be added to the dependencies, had to install that seperately when running it.archdom commented on 2020-12-24 08:59 (UTC) (edited on 2020-12-24 09:00 (UTC) by archdom)
@mox: Appended microsft keys to firmware not undo that purpose. We need them only for windows booting with secure boot enabled otherwise you have to disable bitlocker (not recommended). Obviously, you have to sign linux wth different keys provided by sbkeys package and after, if you have windows in dual boot, append microsoft keys otherwise windows can't start. This happens (at least in my case) because to add own keys, you have to pass from setup mode to custom mode losing the default microsoft keys, therefore, there need append again. If sbkeys package could already to provide these keys will be useful (with windows in dual boot) otherwise only ignore them. In my case i had to run these steps. Maybe for you will be different.
mox commented on 2020-12-23 23:39 (UTC)
I roll my own keys to be sure nothing runs unless I want it to. The M$ keys sort of defeat that purpose. Therefore, I think adding them should be at most optional, and if so, with a big warning that M$ did sign quite some things in the past.
archdom commented on 2020-05-16 16:17 (UTC) (edited on 2020-05-16 16:19 (UTC) by archdom)
Hi guy, in according to arch wiki https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Microsoft_Windows could you want adding the microsoft's certificates to make more complete package. It would be very useful for many people! Here is an example:
echo -e "\n\nAdding Microsoft's certificates to the Signature Database.......\n\n"
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
echo -e "\n\nMicrosoft's certificates added!\n\n"
echo "For adding the microsoft's certificates to Signature Database, run 'append' of add_MS_db.auth file"
you modify as you prefer Thanks!
electrickite commented on 2020-05-16 14:08 (UTC)
@archdom Thanks for the suggestion! Added generation of KEK.auth and DB.auth in v1.0.0
archdom commented on 2020-05-16 08:20 (UTC)
There are some uefi firmware accept only ".auth" keys. Could you add auth key generation for kek and db?
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k PK.key -c PK.crt KEK KEK.esl KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k KEK.key -c KEK.crt DB DB.esl DB.auth
Thank you