On Jun 29, Jan Naumann <j...@jans-seite.de> wrote: > Could you please add a hook to the postinst that either a local script can be > called on installation time which takes care of signing the image (similar to > the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself > if > e.g. the signing key is available at a specific path. I am working on packaging sbctl (which I believe is *much* nicer[1] than sbsigntool and mokutil), so I plan to do some work in this area in the future. But I am not sure yet of which shape this interface should have.
Part of the issue is that at least sbctl signs the installed binaries in place, while bootctl looks for .efi.signed files in the source directory, and "bootctl install" could also be run manually at any time. But since systemd-bootx64.efi comes from /usr/lib/systemd/boot/efi/ it would not be right to have something which is not the package manager install a .efi.signed file there, so I suspect that this cannot be solved just with some shell scripting. And for the time being there are zero chances that Debian (or anybody else, I understand) will be able to ship a signed systemd-boot, so this is not a useful interface right now. [1] https://blog.bofh.it/debian/id_465 -- ciao, Marco
signature.asc
Description: PGP signature
