.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration" .SH NAME ksigner \- Secure Boot kernel signing utility .SH SYNOPSIS .B ksigner .RI { setup | sign | sign-all | version | status } .RI [ vmlinuz_kernel_filepath ] .SH DESCRIPTION .B ksigner is a utility for signing Linux kernels with custom keys for Secure Boot environments. It supports signing individual kernels or all available kernels. .SH COMMANDS .TP .B setup Create and install signing keys. This must be run before any signing operations. The command generates RSA-4096 keys, converts them to appropriate formats, installs them in the system directories, and imports them to the Machine Owner Key (MOK) database. After running this command, you must reboot and enroll the keys through the MOK management interface. .TP .B sign Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel. .TP .B sign-all Sign all available kernels in /boot that match the pattern vmlinuz-*. Excludes rescue kernels. .TP .B version Display version information. .TP .B status Show the current status of signing keys and MOK enrollment. .SH FILES .TP .I /etc/ksigner/ksigner.conf Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions. .TP .I /etc/pki/sbsign/certs/MOK.pem Public signing key in PEM format. .TP .I /etc/pki/sbsign/private/MOK.priv Private signing key. .TP .I /etc/pki/sbsign/certs/MOK.der Public signing key in DER format for MOK import. .TP .I /etc/kernel/postinst.d/zz-ksigner Kernel update hook script for automatic signing. .TP .I /var/log/ksigner.log Log file for automatic signing operations. .SH CONFIGURATION The behavior of ksigner can be customized through the configuration file .IR /etc/ksigner/ksigner.conf . Key configuration options include: .TP .B KEY_LIFETIME_DAYS Number of days the signing keys should remain valid (default: 36500, approximately 100 years). .TP .B SIGN_ON_UPDATE Enable or disable automatic signing when kernels are updated (default: true). .TP .B AUTO_SIGN_TYPE Type of automatic signing to perform on kernel updates. Valid options are: sign, sign-all (default: sign). .SH AUTOMATIC KERNEL SIGNING When SIGN_ON_UPDATE is enabled in the configuration, new kernels are automatically signed when they are installed through the package manager. The kernel update hook script .I /etc/kernel/postinst.d/zz-ksigner is executed during kernel package installation and performs the configured signing operation. .SH EXAMPLES .TP Set up signing keys for the first time: .B ksigner setup .TP Sign the latest kernel: .B ksigner sign .TP Sign a specific kernel: .B ksigner sign /boot/vmlinuz-6.1.0-13-amd64 .TP Sign all kernels: .B ksigner sign-all .TP Check the status of signing keys: .B ksigner status .SH REQUIREMENTS The following packages must be installed for ksigner to function: .IP \(bu 4 openssl - for key generation and certificate operations .IP \(bu 4 mokutil - for Machine Owner Key management .IP \(bu 4 sbsigntools - for signing kernels (provides sbsign command) .IP \(bu 4 hmaccalc - for generating kernel HMAC files .IP \(bu 4 sudo - for privilege escalation .IP \(bu 4 bash (version 4.0 or later) - for shell scripting features .SH SECURITY CONSIDERATIONS .IP \(bu 4 Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/ .IP \(bu 4 The setup process requires manual MOK enrollment to prevent unauthorized key installation .IP \(bu 4 All operations require root privileges .IP \(bu 4 HMAC files are generated for signed kernels to maintain integrity .SH EXIT STATUS .B ksigner exits with status 0 on success, and non-zero on error. .SH BUGS Report bugs to your distribution's bug tracking system or the project repository. .SH SEE ALSO .BR mokutil (8), .BR sbsign (1), .BR openssl (1), .BR systemctl (1)