Signing certificate and hash files (GNU GRUB Manual 2.14~rc1)

19.9 Signing certificate and hash files

X.509 certificate (public key) files and hash files (binary/certificate hash files) can be signed with a Linux kernel module-style appended signature.

The signer.key is a private key used for signing and signer.der is the corresponding public key (certificate) used for appended signature verification. Note that the signer.der (certificate) should exist in the db (see Using appended signatures in GRUB).

Signing the X.509 certificate file using sign-file. The kernel.der is an X.509 certificate file.
```
sign-file SHA256 signer.key signer.der kernel.der \
  kernel.der.signed
```

Signing the hash file using sign-file. The binary_hash.bin is a binary hash file.


sign-file SHA256 signer.key signer.der binary_hash.bin \
  binary_hash.signed