gramine-sgx-sign – Gramine SIGSTRUCT
generator
Synopsis
gramine-sgx-sign [OPTION]… –output output_manifest –key key_file –manifest manifest_file
Description
gramine-sgx-sign is used to expand Trusted Files and generate signature file for given input manifest and libpal file (main Gramine binary).
Command line arguments
- --help, -h
Show help and exit.
- --output output_manifest, -o output_manifest
Path to the output manifest file (with Trusted Files expanded).
- --key key_file, -k key_file
Path to the private key used for signing.
- --manifest manifest_file, -m manifest_file
Input manifest file.
- --date <YYYY-MM-DD>|today
Set specific date to be put into
SIGSTRUCT
. If not given, or the value is literaltoday
, then current day according to system calendar is used. Otherwise expects<YYYY>-<MM>-<DD>
. The date needs not to be a valid day, it will happily accept--date 0000-00-00
, e.g. for reproducible builds.
- --libpal libpal_path, -l libpal_path
Path to libpal file (main Gramine binary).
- --sigfile sigfile, -s sigfile
Path to the output file containing
SIGSTRUCT
. If not provided, manifest_file will be used with “.manifest” (if present) removed from the end and with “.sig” appended.
- --depfile depfile
Generate a file that describes the dependencies for the output manifest and
SIGSTRUCT
, i.e. files that should trigger rebuilding if they’re modified. The dependency file is in Makefile format, and is suitable for using in build systems (Make, Ninja).
- --chroot <path>
When calculating cryptographic hashes of trusted files, measure files inside a chroot instead of paths in root of the file system. Requires that all paths in manifest are absolute, and those will be interpreted as relative to the directory specified as the value of the option.
Note you need to be very careful that the Gramine runtime binaries are exactly the same inside chroot as the ones used to execute gramine-sgx-sign.
- --verbose, -v
Print details to standard output. This is the default.
- --quiet, -q
Don’t print details to standard output.
- --with <plugin>
Use plugin to perform actual signing. The default plugin is
file
, which signs theSIGSTRUCT
using PEM-encoded local file. The list of available plugins is at the end of--help
output.Each plugin may add its own set of options (usually in the form of
--<plugin>-<option>
). To get help about those, use gramine-sgx-sign --with=<plugin> --help-<plugin> and/or consult the documentation of the respective plugin.