Morten Linderud

>This should be rather trivial: The official revocation list is signed by [Microsoft Corporation KEK CA 2011](https://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt). You just need to add that one to the KEK db if microsoft...

>Why sign fedora shim in the first place when you use custom keys? Just add the fedora key to db. In fact, if you use shim, you'd be using ms...

>says that the Secure Boot db is added to the kernel keyring and so any key in there should be usable for kernel module signing. So all you'd need to...

It *should* be possible to enroll a signed empty file, signed by `PK` and get us into setup mode. I have tried writing code for this with `goefi` but haven't...

The checksum would likely change. So you would need to disable Secure Boot. I *think* this can be done with a simple `sbctl reset` before doing a fwupdmgr update. Then...

Any reason why you don't want to use `systemd-boot-update.service`? https://github.com/systemd/systemd/commit/71c8bf28378958a5ab2348e9ec586fbe78c71dfd

Which is appropriate in this scenario since `pacman` doesn't do anything. The main issue is that there is no standard filename for the `bootctl` upgrade hook, which is why `sbctl`...

I'm contemplating if renaming it to `50-sbctl-sign.hook` would be Good Enough™️. I need to think a bit and see what other distros name the `bootctl` hook if they provide it.

>Nitpick, but wouldn't that mean it gets run before mkinitcpio generates the new initramfs or unified images since that hook is currently named 90-mkinitcpio-install.hook? Good point!

>Is stripping the signature and re-signing a valid way to determine "it's already signed"? If the signature mismatches, we can either bail or overwrite. I think exiting non-zero is best?...