Undo 'sbsign' on executable, remove an attached image signature

linux uefi secure-boot

I've signed an EFI image using the sbsign utility from the sbsigntools package, for example:

# sbsign --key db.key --cert db.pem \
    --output /boot/efi/EFI/Grub/grubx64.efi /boot/efi/EFI/Grub/grubx64.efi

This results in, for example:

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
image signature issuers:
 - /CN=My Signature DB Key
image signature certificates:
 - subject: /CN=My Signature DB Key
   issuer:  /CN=My Signature DB Key

My question is simply this, is there a Linux utility that can properly remove this attached signature from this binary file?


Solution 1:

Also included in the sbsigntools package is the sbattach utility, this will do the job, though it's not immediately obvious.

I'll just mention that you need to know what you're doing and why you're doing it. You can break Secure Boot if you don't understand what's about to happen. For instance, if you were to remove a 3rd party signature (i.e. Microsoft's) from an image, you would be unable to re-sign the image without the issuer's Private Key.

…and be sure to check out man sbattach ...as brief as it is.

From the example in my question...

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
...

signature 1 is mine, and I want to remove it from the image. It is possible for an image to have multiple signatures, from multiple issuers.

To create a detached backup of a signature in $PWD, you may do this:

# sbattach --signum 1 --detach grubx64.sig /boot/efi/EFI/Grub/grubx64.efi

(Of course, you should backup the file as well.)

Note that --signum is optional, but without it the command will default to the first signature. This means that if you were to modify an image originally signed by a 3rd party with the goal of removing a signature that you had added, the default behavior would be to remove the 3rd party signature, not yours.

To remove a signature, you may do this:

# sbattach --signum 1 --remove /boot/efi/EFI/Grub/grubx64.efi

You may also do both (backup and remove) at the same time:

# sbattach --signum 1 --detach grubx64.sig --remove /boot/efi/EFI/Grub/grubx64.efi

If all went well, and no other signatures exist in the image, the result will be:

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi 
No signature table present

Related

unexpected behaviour of Ctrl-a x and Ctrl-a X in screen?! regions, locking
Reset USB via batch?
Why is sort -k5nr not a syntax error?
Reverting ubuntu updates
OpenVPN to Access Remote Desktop
How can I enable hardware virtualization when it has been locked in my Dell Vostro 220 PC?
Some programs won't start/install without running as administrator
Automatically testing all parts of a new computer
Program to restore open windows after crash
Reducing Windows 10 x64 memory footprint – can I tune the system's automatic memory compression?
Making laptop not increase/decrease screen brightness when changing power source
How do you copy chrome extension data from one computer to another?