gramine-sgx-sign – Gramine SIGSTRUCT
generator¶
Synopsis¶
gramine-sgx-sign [OPTION]… –output output_manifest –key key_file –manifest manifest_file
Description¶
gramine-sgx-sign is used to expand Trusted Files and generate signature file for given input manifest and libpal file (main Gramine binary).
Command line arguments¶
-
--help
,
-h
¶
Show help and exit.
-
--output
output_manifest
,
-o
output_manifest
¶ Path to the output manifest file (with Trusted Files expanded).
-
--key
key_file
,
-k
key_file
¶ Path to the private key used for signing.
-
--manifest
manifest_file
,
-m
manifest_file
¶ Input manifest file.
-
--date
<YYYY-MM-DD>|today
¶ Set specific date to be put into
SIGSTRUCT
. If not given, or the value is literaltoday
, then current day according to system calendar is used. Otherwise expects<YYYY>-<MM>-<DD>
. The date needs not to be a valid day, it will happily accept--date 0000-00-00
, e.g. for reproducible builds.
-
--libpal
libpal_path
,
-l
libpal_path
¶ Path to libpal file (main Gramine binary).
-
--sigfile
sigfile
,
-s
sigfile
¶ Path to the output file containing
SIGSTRUCT
. If not provided, manifest_file will be used with “.manifest” (if present) removed from the end and with “.sig” appended.
-
--depfile
depfile
¶ Generate a file that describes the dependencies for the output manifest and
SIGSTRUCT
, i.e. files that should trigger rebuilding if they’re modified. The dependency file is in Makefile format, and is suitable for using in build systems (Make, Ninja).
-
--chroot
<path>
¶ When calculating cryptographic hashes of trusted files, measure files inside a chroot instead of paths in root of the file system. Requires that all paths in manifest are absolute, and those will be interpreted as relative to the directory specified as the value of the option.
Note you need to be very careful that the Gramine runtime binaries are exactly the same inside chroot as the ones used to execute gramine-sgx-sign.
-
--verbose
,
-v
¶
Print details to standard output. This is the default.
-
--quiet
,
-q
¶
Don’t print details to standard output.
-
--with
<plugin>
¶ Use plugin to perform actual signing. The default plugin is
file
, which signs theSIGSTRUCT
using PEM-encoded local file. The list of available plugins is at the end of--help
output.Each plugin may add its own set of options (usually in the form of
--<plugin>-<option>
). To get help about those, use gramine-sgx-sign --with=<plugin> --help-<plugin> and/or consult the documentation of the respective plugin.