sbsign: allow for adding intermediate certificates

SignedData can have multiple certificates, but the current
implementation of sbsign only allows a single one (as a signer).
With this patch, "-addcert" options will be available on command line to
specify a file in which any number of intermediate certificates in PEM
format can be concatenated.

  $ sign --key <key> --cert <cert> --addcert <morecerts> [...] image_file

I'm working on implementing UEFI secure boot on U-Boot and want
to test my code against PE images with intermediate certificates
in certificate chain.
As far as I know, the only tool that supports it in signing is
Microsoft's signtool.exe. So I'd like to have some corresponding
tool on linux.

Signed-off-by: AKASHI Takahiro <>
Signed-off-by: James Bottomley <>
1 file changed