Arch Linux User Repository

A simple hook that signs kernels after mkinitcpio runs for rEFInd secure boot. Please comment if any changes are necessary to improve this package.

@wolfk I currently do not use UKIs. I might look into making this hook sign whatever is needed (.efi for UKIs, vmlinuz for non-UKI) when I have free time.

You might want to add a hook for UKIs (https://wiki.archlinux.org/title/Unified_kernel_image):

#!/bin/bash
KEY="/etc/refind.d/keys/refind_local.key"
CERT="/etc/refind.d/keys/refind_local.crt"
for file in "$@"; do
    # Only process .efi files
    if [[ "$file" == *.efi ]]; then
        echo "Checking UKI: $file"

        sigs=$(sbverify --list "$file" 2>&1)
        if [[ "$sigs" == "No signature table present" ]]; then
            echo "Signing $file"
            sbsign --key "$KEY" --cert "$CERT" --output "$file" "$file"
        else
            echo "Already signed: $file"
        fi
    else
        echo "Skipping non-UKI file: $file"
    fi
done

Thanks for fixing this so quickly! :)

@meadow Great tip! I'll change the hook to only conditionally sign images.

I changed the hook such that it doesn't sign kernel images that already have signatures. sbverify --list showed that my kernels were signed multiple times with the same signature.

Hint: Redundant signatures can be removed using sbattach --signum $num --remove

#!/bin/sh

sigs=$(sbverify --list $1 2>&1)

if [ "$sigs" = "No signature table present" ] ; then
    /usr/bin/sbsign --key /etc/refind.d/keys/refind_local.key --cert /etc/refind.d/keys/refind_local.crt --output "$1" "$1"
fi

A simple hook that signs kernels after mkinitcpio runs for rEFInd secure boot. Please comment if any changes are necessary to improve this package.