sign-efi-siglist

This tool is derived from efitools' "sign-efi-sig-list".
The name was changed to avoid confusion, because the output format is different:
"sign-efi-sig-list" creates output in "auth" format,
which is suitable for UEFI's standard "SetVariable" call.
By contrast, "sign-efi-siglist" outputs the native format of the Linux
"efivarfs" filesystem (with four extra bytes of "attributes").
On a Linux system, this can be more convenient, because such a "vardata" file
can be copied directly to the efivarfs filesystem.
This means that secureboot keys can be enrolled
without an additional tool like "efi-updatevar".

efitools upstream

docs: UEFI Services - Runtime Services

docs: UEFI Secure Boot and Driver Signing

docs: kernel efivarfs

Install dependencies

# Ubuntu / Debian
sudo apt-get install gnu-efi
# Fedora
sudo dnf install gnu-efi-devel

Installation

sudo make install

Create and enroll your keys

Keys and certificates can be created with the openssl x509 command; see Controlling Secure Boot. Let's assume you have created three pairs consisting of 6 files:

PK.key PK.crt
KEK.key KEK.crt
myOrg.key myOrg.crt

We could have called the last pair db.key and db.crt. But let's assume for now that we also want to enroll the "fedora secure boot signing certificate" along with myOrg.crt.

The fedora certificate comes in the form of an additional file fedora.crt. Note that we do not have the corresponding private key.

Choose a guid and convert all your crt files to "efi-siglist" format:

guid=4212023e-a290-11f0-bd3b-e446b04ad651
for name in PK KEK myOrg fedora; do
    cert-to-efi-sig-list -g $guid $name.crt $name.esl
done

The esl files can be concatenated. Combine myOrg.esl and fedora.esl to create db.esl:

cat myOrg.esl fedora.esl > db.esl

Now sign your esl files, thus creating three files PK.vardata, KEK.vardata and db.vardata:

timestamp="2025-10-06 12:00:01"
# PK signs PK
sign-efi-siglist -g $guid -t "$timestamp" -k PK.key -c PK.crt PK PK.esl PK.vardata
# PK signs KEK
sign-efi-siglist -g $guid -t "$timestamp" -k PK.key -c PK.crt KEK KEK.esl KEK.vardata
# KEK signs db
sign-efi-siglist -g $guid -t "$timestamp" -k KEK.key -c KEK.crt db db.esl db.vardata

The vardata files do not contain private key data, so they can be shared. Boot the target system in "Secure Boot Setup Mode" and enroll your keys:

chattr -i /sys/firmware/efi/efivars/*
cp db.vardata /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
cp KEK.vardata /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
cp PK.vardata /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c