diff --git a/image.c b/image.c
index c29af25..591926e 100644
--- a/image.c
+++ b/image.c
@@ -362,3 +362,19 @@ out:
 	close(fd);
 	return !rc;
 }
+
+int image_write_detached(struct image *image, const char *filename)
+{
+	int fd, rc;
+
+	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+	if (fd < 0) {
+		perror("open");
+		return -1;
+	}
+
+	rc = write_all(fd, image->sigbuf, image->sigsize);
+
+	close(fd);
+	return !rc;
+}
diff --git a/image.h b/image.h
index e136e7c..e3a2be6 100644
--- a/image.h
+++ b/image.h
@@ -81,6 +81,7 @@ int image_pecoff_parse(struct image *image);
 int image_find_regions(struct image *image);
 int image_hash_sha256(struct image *image, uint8_t digest[]);
 int image_write_signed(struct image *image, const char *filename);
+int image_write_detached(struct image *image, const char *filename);
 
 #endif /* IMAGE_H */
 
diff --git a/sbsign.c b/sbsign.c
index efd1d6a..3353160 100644
--- a/sbsign.c
+++ b/sbsign.c
@@ -48,12 +48,14 @@ struct sign_context {
 	const char *infilename;
 	const char *outfilename;
 	int verbose;
+	int detached;
 };
 
 static struct option options[] = {
 	{ "output", required_argument, NULL, 'o' },
 	{ "cert", required_argument, NULL, 'c' },
 	{ "key", required_argument, NULL, 'k' },
+	{ "detached", no_argument, NULL, 'd' },
 	{ "verbose", no_argument, NULL, 'v' },
 	{ "help", no_argument, NULL, 'h' },
 	{ "version", no_argument, NULL, 'V' },
@@ -69,8 +71,12 @@ static void usage(void)
 		"\t--key <keyfile>    signing key (PEM-encoded RSA "
 						"private key)\n"
 		"\t--cert <certfile>  certificate (x509 certificate)\n"
+		"\t--detached         write a detached signature, instead of\n"
+		"\t                    a signed binary\n"
 		"\t--output <file>    write signed data to <file>\n"
-		"\t                    (default <efi-boot-image>.signed)\n",
+		"\t                    (default <efi-boot-image>.signed,\n"
+		"\t                    or <efi-boot-image>.pk7 for detached\n"
+		"\t                    signatures)\n",
 		toolname);
 }
 
@@ -81,7 +87,12 @@ static void version(void)
 
 static void set_default_outfilename(struct sign_context *ctx)
 {
-	ctx->outfilename = talloc_asprintf(ctx, "%s.signed", ctx->infilename);
+	const char *extension;
+
+	extension = ctx->detached ? "pk7" : "signed";
+
+	ctx->outfilename = talloc_asprintf(ctx, "%s.%s",
+			ctx->infilename, extension);
 }
 
 int main(int argc, char **argv)
@@ -112,6 +123,9 @@ int main(int argc, char **argv)
 		case 'k':
 			keyfilename = optarg;
 			break;
+		case 'd':
+			ctx->detached = 1;
+			break;
 		case 'v':
 			ctx->verbose = 1;
 			break;
@@ -195,7 +209,10 @@ int main(int argc, char **argv)
 	i2d_PKCS7(p7, &buf);
 	ERR_print_errors_fp(stdout);
 
-	image_write_signed(ctx->image, ctx->outfilename);
+	if (ctx->detached)
+		image_write_detached(ctx->image, ctx->outfilename);
+	else
+		image_write_signed(ctx->image, ctx->outfilename);
 
 	talloc_free(ctx);