Package Details: sbkeys 1.1.0-1

Git Clone URL: https://aur.archlinux.org/sbkeys.git (read-only, click to copy)
Package Base: sbkeys
Description: Simple script to generate Secure Boot keys
Upstream URL: https://github.com/electrickite/sbkeys
Licenses: GPL3
Submitter: electrickite
Maintainer: electrickite
Last Packager: electrickite
Votes: 3
Popularity: 0.24
First Submitted: 2017-03-13 02:03
Last Updated: 2021-01-17 03:46

Latest Comments

archdom commented on 2020-12-24 08:59

@mox: Appended microsft keys to firmware not undo that purpose. We need them only for windows booting with secure boot enabled otherwise you have to disable bitlocker (not recommended). Obviously, you have to sign linux wth different keys provided by sbkeys package and after, if you have windows in dual boot, append microsoft keys otherwise windows can't start. This happens (at least in my case) because to add own keys, you have to pass from setup mode to custom mode losing the default microsoft keys, therefore, there need append again. If sbkeys package could already to provide these keys will be useful (with windows in dual boot) otherwise only ignore them. In my case i had to run these steps. Maybe for you will be different.

mox commented on 2020-12-23 23:39

I roll my own keys to be sure nothing runs unless I want it to. The M$ keys sort of defeat that purpose. Therefore, I think adding them should be at most optional, and if so, with a big warning that M$ did sign quite some things in the past.

archdom commented on 2020-05-16 16:17

Hi guy, in according to arch wiki https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Microsoft_Windows could you want adding the microsoft's certificates to make more complete package. It would be very useful for many people! Here is an example:

echo -e "\n\nAdding Microsoft's certificates to the Signature Database.......\n\n"

wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt

wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt

sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt

cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl

sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth

echo -e "\n\nMicrosoft's certificates added!\n\n"

echo "For adding the microsoft's certificates to Signature Database, run 'append' of add_MS_db.auth file"

you modify as you prefer Thanks!

electrickite commented on 2020-05-16 14:08

@archdom Thanks for the suggestion! Added generation of KEK.auth and DB.auth in v1.0.0

archdom commented on 2020-05-16 08:20

There are some uefi firmware accept only ".auth" keys. Could you add auth key generation for kek and db?

sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k PK.key -c PK.crt KEK KEK.esl KEK.auth

sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k KEK.key -c KEK.crt DB DB.esl DB.auth

Thank you