.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration"

.SH NAME
ksigner \- Secure Boot kernel signing utility

.SH SYNOPSIS
.B ksigner
.RI { setup | sign | sign-all | version | status }
.RI [ vmlinuz_kernel_filepath ]

.SH DESCRIPTION
.B ksigner
is a utility for signing Linux kernels with custom keys for Secure Boot environments.
It supports signing individual kernels or all available kernels.

.SH COMMANDS
.TP
.B setup
Create and install signing keys. This must be run before any signing operations.
The command generates RSA-4096 keys, converts them to appropriate formats,
installs them in the system directories, and imports them to the Machine Owner Key (MOK) database.
After running this command, you must reboot and enroll the keys through the MOK management interface.

.TP
.B sign
Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel.

.TP
.B sign-all
Sign all available kernels in /boot that match the pattern vmlinuz-*.
Excludes rescue kernels.

.TP
.B version
Display version information.

.TP
.B status
Show the current status of signing keys and MOK enrollment.

.SH FILES
.TP
.I /etc/ksigner/ksigner.conf
Main configuration file.

.TP
.I /etc/pki/sbsign/certs/MOK.pem
Public signing key in PEM format.

.TP
.I /etc/pki/sbsign/private/MOK.priv
Private signing key.

.TP
.I /etc/pki/sbsign/certs/MOK.der
Public signing key in DER format for MOK import.

.TP
.I /var/log/ksigner.log
Log file.

.SH CONFIGURATION
The behavior of ksigner can be customized through the configuration file
.IR /etc/ksigner/ksigner.conf .
Key configuration options include:

.TP
.B KEY_LIFETIME_DAYS
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).

.SH EXAMPLES
.TP
Set up signing keys for the first time:
.B ksigner setup

.TP
Sign the latest kernel:
.B ksigner sign

.TP
Sign a specific kernel:
.B ksigner sign /boot/vmlinuz-6.1.0-13-amd64

.TP
Sign all kernels:
.B ksigner sign-all

.TP
Check the status of signing keys:
.B ksigner status

.SH REQUIREMENTS
The following packages must be installed for ksigner to function:
.IP \(bu 4
openssl - for key generation and certificate operations
.IP \(bu 4
mokutil - for Machine Owner Key management
.IP \(bu 4
sbsigntools - for signing kernels (provides sbsign command)
.IP \(bu 4
hmaccalc - for generating kernel HMAC files
.IP \(bu 4
sudo - for privilege escalation
.IP \(bu 4
bash (version 4.0 or later) - for shell scripting features

.SH SECURITY CONSIDERATIONS
.IP \(bu 4
Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/
.IP \(bu 4
The setup process requires manual MOK enrollment to prevent unauthorized key installation
.IP \(bu 4
All operations require root privileges
.IP \(bu 4
HMAC files are generated for signed kernels to maintain integrity

.SH EXIT STATUS
.B ksigner
exits with status 0 on success, and non-zero on error.

.SH BUGS
Report bugs to your distribution's bug tracking system or the project repository.

.SH SEE ALSO
.BR mokutil (8),
.BR sbsign (1),
.BR openssl (1),
.BR systemctl (1)