.TH ksigner 8 "@MONTH@ @YEAR@" "ksigner @VERSION@" "System Administration" .SH NAME ksigner \- Secure Boot kernel signing utility .SH SYNOPSIS .B ksigner .RI { setup | sign | sign-all | version | status } .RI [ vmlinuz_kernel_filepath ] .SH DESCRIPTION .B ksigner is a utility for signing Linux kernels with custom keys for Secure Boot environments. It supports signing individual kernels or all available kernels. The utility includes libdnf5-plugin-actions integration for automatic kernel signing. .SH COMMANDS .TP .B setup Create and install signing keys. This must be run before any signing operations. The command generates RSA-4096 keys, converts them to appropriate formats, installs them in the system directories, and imports them to the Machine Owner Key (MOK) database. After running this command, you must reboot and enroll the keys through the MOK management interface. .TP .B sign Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel. .TP .B sign-all Sign all available kernels in /boot that match the pattern vmlinuz-*. Excludes rescue kernels. .TP .B version Display version information. .TP .B status Show the current status of signing keys and MOK enrollment. .SH FILES .TP .I /etc/ksigner/ksigner.conf Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions. .TP .I /etc/pki/sbsign/certs/MOK.pem Public signing key in PEM format. .TP .I /etc/pki/sbsign/private/MOK.priv Private signing key. .TP .I /etc/pki/sbsign/certs/MOK.der Public signing key in DER format for MOK import. .TP .I /var/log/ksigner.log Log file for automatic signing operations. .TP .I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions Kernel update hook script for automatic signing. .SH CONFIGURATION The behavior of ksigner can be customized through the configuration file .IR /etc/ksigner/ksigner.conf . Key configuration options include: .TP .B KEY_LIFETIME_DAYS Number of days the signing keys should remain valid (default: 36500, approximately 100 years). .TP .B AUTO_SIGN Enable or disable automatic kernel signing when kernels are installed via package manager. Set to "true" to enable, "false" to disable (default: true). Only works on DNF5 systems. .SH SYSTEMD INTEGRATION The package includes systemd service files for integration with the system: .SH AUTOMATIC KERNEL SIGNING When AUTO_SIGN (AUTO_SIGN=true) is enabled in the configuration, new kernels are automatically signed when they are installed through the package manager. The kernel update hook script .I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions is executed after kernel package installation and performs the configured signing operation. .SH EXAMPLES .TP Set up signing keys for the first time: .B ksigner setup .TP Sign the latest kernel: .B ksigner sign .TP Sign a specific kernel: .B ksigner sign /boot/vmlinuz-6.1.0-13-amd64 .TP Sign all kernels: .B ksigner sign-all .TP Check the status of signing keys: .B ksigner status .SH AUTOMATIC KERNEL SIGNING On systems using DNF5, ksigner can automatically sign newly installed kernels through a post-transaction hook. This feature is controlled by the .B AUTO_SIGN setting in the configuration file. When automatic signing is enabled, kernels are signed immediately after installation via the package manager. All signing operations are logged to .IR /var/log/ksigner.log . Note: Automatic signing requires that signing keys have been set up previously using .B ksigner setup and that the MOK has been enrolled. .SH REQUIREMENTS The following packages must be installed for ksigner to function: .IP \(bu 4 openssl - for key generation and certificate operations .IP \(bu 4 mokutil - for Machine Owner Key management .IP \(bu 4 sbsigntools - for signing kernels (provides sbsign command) .IP \(bu 4 hmaccalc - for generating kernel HMAC files .IP \(bu 4 sudo - for privilege escalation .IP \(bu 4 bash (version 4.0 or later) - for shell scripting features .IP \(bu 4 libdnf5-plugin-actions - for automatic kernel signing (Fedora systems only) .SH SECURITY CONSIDERATIONS .IP \(bu 4 Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/ .IP \(bu 4 The setup process requires manual MOK enrollment to prevent unauthorized key installation .IP \(bu 4 All operations require root privileges .IP \(bu 4 HMAC files are generated for signed kernels to maintain integrity .SH EXIT STATUS .B ksigner exits with status 0 on success, and non-zero on error. .SH BUGS Report bugs to your distribution's bug tracking system or the project repository. .SH SEE ALSO .BR mokutil (8), .BR sbsign (1), .BR openssl (1), .BR systemctl (1)