Suggestion: Only sign generated file in initcpio hook, use sign-all in a separate pacman hook

[m00nwtchr]

That way you avoid repeated "X has already been signed" messages in mkinitcpio -P output, while retaining compatibility with signing files from other packages.

(I use the following for my initcpio hook:)

#!/usr/bin/env bash

uki="$3"
[[ -n "$uki" ]] || exit 0

sbctl sign "$uki"

[detiam]

In case user are using sbctl for generate uki:

#!/usr/bin/env bash

uki="$3"
if [[ -n $uki ]]; then
    /usr/bin/sbctl sign "$uki"
else
    /usr/bin/sbctl sign-all -g
fi

[m00nwtchr]

Is there any reason to use sbctl for UKI generation when mkinitcpio already supports it? (afaict the options supported by sbctl and mkinitcpio for ukis are the same)

From the sbctl manpage:

Note that dracut(8) and mkinitcpio(8) supports unified kernel features, and they should be preferred over the sbctl implementation. It is mostly provided in the cases where this feature is not supported by the initramfs generator of the distribution.

[detiam]

@m00nwtchr Maybe for ensuring the UKI image always been signed? But I just thought we can't leave the UKI generation feature in sbctl broken if this really get accepted.

Edit: found this already been implemented 4 months ago xd https://github.com/Foxboron/sbctl/blob/8e0e68bc0959f4e86ffcde9e8fa3f0a1680bf06e/contrib/mkinitcpio/sbctl wait for release then

[Foxboron]

But I just thought we can't leave the UKI generation feature in sbctl broken if this really get accepted.

Fwiw, it's already "almost" broken as the ukify wrapper from systemd supports all the new features.