Undo 'sbsign' on executable, remove an attached image signature

I've signed an EFI image using the sbsign utility from the sbsigntools package, for example:

# sbsign --key db.key --cert db.pem \
    --output /boot/efi/EFI/Grub/grubx64.efi /boot/efi/EFI/Grub/grubx64.efi

This results in, for example:

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
image signature issuers:
 - /CN=My Signature DB Key
image signature certificates:
 - subject: /CN=My Signature DB Key
   issuer:  /CN=My Signature DB Key

My question is simply this, is there a Linux utility that can properly remove this attached signature from this binary file?


Solution 1:

Also included in the sbsigntools package is the sbattach utility, this will do the job, though it's not immediately obvious.

I'll just mention that you need to know what you're doing and why you're doing it. You can break Secure Boot if you don't understand what's about to happen. For instance, if you were to remove a 3rd party signature (i.e. Microsoft's) from an image, you would be unable to re-sign the image without the issuer's Private Key.

…and be sure to check out man sbattach ...as brief as it is.

From the example in my question...

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
...

signature 1 is mine, and I want to remove it from the image. It is possible for an image to have multiple signatures, from multiple issuers.

To create a detached backup of a signature in $PWD, you may do this:

# sbattach --signum 1 --detach grubx64.sig /boot/efi/EFI/Grub/grubx64.efi 

(Of course, you should backup the file as well.)

Note that --signum is optional, but without it the command will default to the first signature. This means that if you were to modify an image originally signed by a 3rd party with the goal of removing a signature that you had added, the default behavior would be to remove the 3rd party signature, not yours.

To remove a signature, you may do this:

# sbattach --signum 1 --remove /boot/efi/EFI/Grub/grubx64.efi 

You may also do both (backup and remove) at the same time:

# sbattach --signum 1 --detach grubx64.sig --remove /boot/efi/EFI/Grub/grubx64.efi 

If all went well, and no other signatures exist in the image, the result will be:

# sbverify --list /boot/efi/EFI/Grub/grubx64.efi 
No signature table present