ksigner/docs/ksigner.8.in

.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration"

.SH NAME
ksigner \- Secure Boot kernel signing utility

.SH SYNOPSIS
.B ksigner
.RI { setup | sign | sign-all | version | status }
.RI [ vmlinuz_kernel_filepath ]

.SH DESCRIPTION
.B ksigner
is a utility for signing Linux kernels with custom keys for Secure Boot environments.
It supports signing individual kernels or all available kernels.

.SH COMMANDS
.TP
.B setup
Create and install signing keys. This must be run before any signing operations.
The command generates RSA-4096 keys, converts them to appropriate formats,
installs them in the system directories, and imports them to the Machine Owner Key (MOK) database.
After running this command, you must reboot and enroll the keys through the MOK management interface.

.TP
.B sign
Sign a single kernel file. If no kernel filepath is provided, signs the latest available kernel.

.TP
.B sign-all
Sign all available kernels in /boot that match the pattern vmlinuz-*.
Excludes rescue kernels.

.TP
.B version
Display version information.

.TP
.B status
Show the current status of signing keys and MOK enrollment.

.SH FILES
.TP
.I /etc/ksigner/ksigner.conf
Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.

.TP
.I /etc/pki/sbsign/certs/MOK.pem
Public signing key in PEM format.

.TP
.I /etc/pki/sbsign/private/MOK.priv
Private signing key.

.TP
.I /etc/pki/sbsign/certs/MOK.der
Public signing key in DER format for MOK import.

.TP
.I /etc/kernel/postinst.d/zz-ksigner
Kernel update hook script for automatic signing.

.TP
.I /var/log/ksigner.log
Log file for automatic signing operations.

.SH CONFIGURATION
The behavior of ksigner can be customized through the configuration file
.IR /etc/ksigner/ksigner.conf .
Key configuration options include:

.TP
.B KEY_LIFETIME_DAYS
Number of days the signing keys should remain valid (default: 36500, approximately 100 years).

.TP
.B SIGN_ON_UPDATE
Enable or disable automatic signing when kernels are updated (default: true).

.TP
.B AUTO_SIGN_TYPE
Type of automatic signing to perform on kernel updates.
Valid options are: sign, sign-all (default: sign).

.SH AUTOMATIC KERNEL SIGNING
When SIGN_ON_UPDATE is enabled in the configuration, new kernels are automatically signed
when they are installed through the package manager. The kernel update hook script
.I /etc/kernel/postinst.d/zz-ksigner
is executed during kernel package installation and performs the configured signing operation.

.SH EXAMPLES
.TP
Set up signing keys for the first time:
.B ksigner setup

.TP
Sign the latest kernel:
.B ksigner sign

.TP
Sign a specific kernel:
.B ksigner sign /boot/vmlinuz-6.1.0-13-amd64

.TP
Sign all kernels:
.B ksigner sign-all

.TP
Check the status of signing keys:
.B ksigner status

.SH REQUIREMENTS
The following packages must be installed for ksigner to function:
.IP \(bu 4
openssl - for key generation and certificate operations
.IP \(bu 4
mokutil - for Machine Owner Key management
.IP \(bu 4
sbsigntools - for signing kernels (provides sbsign command)
.IP \(bu 4
hmaccalc - for generating kernel HMAC files
.IP \(bu 4
sudo - for privilege escalation
.IP \(bu 4
bash (version 4.0 or later) - for shell scripting features

.SH SECURITY CONSIDERATIONS
.IP \(bu 4
Private keys are stored with restrictive permissions (600) in /etc/pki/sbsign/private/
.IP \(bu 4
The setup process requires manual MOK enrollment to prevent unauthorized key installation
.IP \(bu 4
All operations require root privileges
.IP \(bu 4
HMAC files are generated for signed kernels to maintain integrity

.SH EXIT STATUS
.B ksigner
exits with status 0 on success, and non-zero on error.

.SH BUGS
Report bugs to your distribution's bug tracking system or the project repository.

.SH SEE ALSO
.BR mokutil (8),
.BR sbsign (1),
.BR openssl (1),
.BR systemctl (1)