Undo 'sbsign' on executable, remove an attached image signature
I've signed an EFI image using the sbsign
utility from the sbsigntools package, for example:
# sbsign --key db.key --cert db.pem \
--output /boot/efi/EFI/Grub/grubx64.efi /boot/efi/EFI/Grub/grubx64.efi
This results in, for example:
# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
image signature issuers:
- /CN=My Signature DB Key
image signature certificates:
- subject: /CN=My Signature DB Key
issuer: /CN=My Signature DB Key
My question is simply this, is there a Linux utility that can properly remove this attached signature from this binary file?
Solution 1:
Also included in the sbsigntools package is the sbattach
utility, this will do the job, though it's not immediately obvious.
I'll just mention that you need to know what you're doing and why you're doing it. You can break Secure Boot if you don't understand what's about to happen. For instance, if you were to remove a 3rd party signature (i.e. Microsoft's) from an image, you would be unable to re-sign the image without the issuer's Private Key.
…and be sure to check out man sbattach
...as brief as it is.
From the example in my question...
# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
signature 1
...
signature 1 is mine, and I want to remove it from the image. It is possible for an image to have multiple signatures, from multiple issuers.
To create a detached backup of a signature in $PWD
, you may do this:
# sbattach --signum 1 --detach grubx64.sig /boot/efi/EFI/Grub/grubx64.efi
(Of course, you should backup the file as well.)
Note that --signum
is optional, but without it the command will default to the first signature. This means that if you were to modify an image originally signed by a 3rd party with the goal of removing a signature that you had added, the default behavior would be to remove the 3rd party signature, not yours.
To remove a signature, you may do this:
# sbattach --signum 1 --remove /boot/efi/EFI/Grub/grubx64.efi
You may also do both (backup and remove) at the same time:
# sbattach --signum 1 --detach grubx64.sig --remove /boot/efi/EFI/Grub/grubx64.efi
If all went well, and no other signatures exist in the image, the result will be:
# sbverify --list /boot/efi/EFI/Grub/grubx64.efi
No signature table present