> Not running an update of the EFI binaries is problematic as well. Running the update will brick a system with secure boot unconditionally.
> Aside from the dpkg/apt hook I mentioned earlier, what you might do is > to dpkg-divert bootctl and replace it with a wrapper script that does > the update + signing for your setup. Thank you, I think dpkg-divert is the only atomic solution. If there is a larger gap between the sd-boot postinst and the dpkg/apt hook, if there is a problem/crash/power cut, the system won't boot again. > Is there a programmatic, defined way to find out if the sd-boot efi > binaries have been signed? The only way I know: # sbverify --list /usr/lib/systemd/boot/efi/systemd-bootx64.efi warning: data remaining[123392 vs 139547]: gaps between PE/COFF sections? warning: data remaining[123392 vs 139552]: gaps between PE/COFF sections? No signature table present # sbverify --list /efi/EFI/systemd/systemd-bootx64.efi warning: data remaining[125736 vs 141896]: gaps between PE/COFF sections? signature 1 image signature issuers: - /CN=Signature Database key image signature certificates: - subject: /CN=Signature Database key issuer: /CN=Signature Database key
