diff --git a/pkgs/tools/security/sbsigntool/autoconf.patch b/pkgs/tools/security/sbsigntool/autoconf.patch
new file mode 100644
index 000000000000..27f5b77c8848
--- /dev/null
+++ b/pkgs/tools/security/sbsigntool/autoconf.patch
@@ -0,0 +1,19 @@
+diff -uNr sbsigntool/configure.ac sbsigntool-new/configure.ac
+--- sbsigntool/configure.ac	2015-07-05 12:18:18.932717136 +0200
++++ sbsigntool-new/configure.ac	2015-07-05 14:51:39.659284938 +0200
+@@ -65,7 +65,7 @@
+ 
+ dnl gnu-efi headers require extra include dirs
+ EFI_ARCH=$(uname -m)
+-EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
++EFI_CPPFLAGS="-I@@NIX_GNUEFI@@/include/efi -I@@NIX_GNUEFI@@/include/efi/$EFI_ARCH \
+  -DEFI_FUNCTION_WRAPPER"
+ CPPFLAGS_save="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
+@@ -74,5 +74,5 @@
+ AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
+ 
+ AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
+-		[docs/Makefile tests/Makefile])
++		[docs/Makefile])
+ AC_OUTPUT
diff --git a/pkgs/tools/security/sbsigntool/default.nix b/pkgs/tools/security/sbsigntool/default.nix
new file mode 100644
index 000000000000..1571720a0b9b
--- /dev/null
+++ b/pkgs/tools/security/sbsigntool/default.nix
@@ -0,0 +1,47 @@
+{ stdenv, fetchgit, autoconf, automake, utillinux, openssl, libuuid, gnu-efi
+, binutils, pkgconfig, help2man }:
+
+stdenv.mkDerivation rec {
+  name = "sbsigntool-${version}";
+  version = "0.5";
+
+  src = fetchgit {
+    url = "git://kernel.ubuntu.com/jk/sbsigntool";
+    rev = "951ee95a301674c046f55330cd7460e1314deff2";
+    sha256 = "09k8by0qq8j7ff812l1l9z9frsx5c4cmhj5in3g1sgyz3v55nfy7";
+  };
+
+  patches = [ ./autoconf.patch ];
+
+  buildInputs = [ autoconf automake utillinux openssl libuuid gnu-efi binutils pkgconfig help2man ];
+
+  configurePhase = ''
+    substituteInPlace configure.ac --replace "@@NIX_GNUEFI@@" "${gnu-efi}"
+
+    lib/ccan.git/tools/create-ccan-tree --build-type=automake lib/ccan "talloc read_write_all build_assert array_size"
+    touch AUTHORS
+    touch ChangeLog
+
+    echo "SUBDIRS = lib/ccan src docs" >> Makefile.am
+
+    aclocal
+    autoheader
+    autoconf
+    automake --add-missing -Wno-portability
+
+    ./configure --prefix=$out
+    '';
+
+  installPhase = ''
+    mkdir -p $out
+    make install
+    '';
+
+  meta = with stdenv.lib; {
+    description = "Tools for maintaining UEFI signature databases";
+    homepage    = http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases;
+    maintainers = [ maintainers.tstrobel ];
+    platforms   = platforms.linux;
+  };
+}
+
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 743b714f2839..a3a84b6a0c0a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1726,6 +1726,8 @@ let
     zfsSupport = false;
   };
 
+  sbsigntool = callPackage ../tools/security/sbsigntool { };
+
   gsmartcontrol = callPackage ../tools/misc/gsmartcontrol {
     inherit (gnome) libglademm;
   };