How to sign binaries of the Clear Linux image

In this tutorial, you will see how to sign the binaries of a Clear Linux image so that you can boot it through a secure boot enabled OVMF.


  • Install sbsigntool on Ubuntu (Verified on 18.04):

    $ sudo apt install sbsigntool
  • Download and extract the Clear Linux image from the release:

    $ export https_proxy=<your https proxy>:<port>
    $ wget
    $ unxz clear-29880-kvm.img.xz
  • Download script on Ubuntu.

Steps to sign the binaries of the Clear Linux image

  1. Follow the KeyGeneration to generate the key and certification which will be used to sign the binaries.

  2. Get these files from the previous step:

    • archive-subkey-private.key
    • archive-subkey-public.crt
  3. Use the script to sign binaries in the Clear Linux image:

  4. clear-xxx-kvm.img.signed will be generated in the same folder as the original clear-xxx-kvm.img.