anjuna-sign

Name

`anjuna-sign`

Generate a signature (.sig) file containing the signature for executing an enclave in Intel® SGX.

Synopsis

anjuna-sign [options] EXECUTABLE
  --measure-only    Generate an unsigned signature file
  --sign-only       Sign or re-sign the signature file
  --sig-file path   Set signature file path (default "EXECUTABLE.sig")
  --key path        Set private key path (default SGX_SIGNER_KEY environment variable)
  --manifest path   Set manifest path (default "EXECUTABLE.manifest.sgx")
  --lib path        Set enclave library path (default "Runtime/libanjuna_enclave.so")
  --quiet           Suppress memory layout and measurements output
  --help            Show help summary

Description

Before you can execute an enclave in Intel® SGX, it must be signed using an RSA 3072-bit key. anjuna-sign computes the expected MRENCLAVE value, generates a digital signature for it, and stores it in a .sig file.

Exit status

0 upon successful generation of a signature file
2 upon command line error
1 on other failures to generate the signature file or the signing payload.

Example

Assume you have a manifest file named openssl.manifest.sgx and openssl is located at /usr/bin/openssl. To sign it, run the following command:

$ anjuna-sign /usr/bin/openssl