You are not logged in.
I am running Arch with an encrypted root partition, with unencrypted /boot and efistub. Moreover, I enabled secure boot via sbctl. Each time pacman updates the kernel, the files /boot/vmlinuz-linux and /boot/EFI/arch/fwupdx64.efi get signed again, as desired. However, there seems to be some redundancy in the procedure: First of all, /boot/EFI/arch/fwupdx64.efi usually will not be changed during the update, so there is no reason to sign it again. And secondly, the two files get signed three times (when building the image, when building the fallback, and finally as the last step 15/15). Here is a typical protocol of pacman -Syu:
: Post-transaction-Hooks werden gestartet …
( 1/15) Creating system user accounts...
( 2/15) Updating journal message catalog...
( 3/15) Reloading system manager configuration...
( 4/15) Reloading user manager configuration...
( 5/15) Updating udev hardware database...
( 6/15) Applying kernel sysctl settings...
( 7/15) Creating temporary files...
( 8/15) Reloading device manager configuration...
( 9/15) Arming ConditionNeedsUpdate...
(10/15) Updating module dependencies...
(11/15) Updating linux initcpios...
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.8.8-arch1-1'
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [autodetect]
-> Running build hook: [microcode]
-> Running build hook: [modconf]
-> Running build hook: [kms]
-> Running build hook: [keyboard]
-> Running build hook: [keymap]
-> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
-> Running build hook: [block]
-> Running build hook: [encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
-> Running build hook: [filesystems]
-> Running build hook: [resume]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing EFI binaries...
Generating EFI bundles....
File has already been signed /boot/EFI/arch/fwupdx64.efi
✓ Signed /boot/vmlinuz-linux
==> Post processing done
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: '6.8.8-arch1-1'
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [microcode]
-> Running build hook: [modconf]
-> Running build hook: [kms]
==> WARNING: Possibly missing firmware for module: 'ast'
-> Running build hook: [keyboard]
-> Running build hook: [keymap]
-> Running build hook: [consolefont]
==> WARNING: consolefont: no font found in configuration
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'aic94xx'
==> WARNING: Possibly missing firmware for module: 'wd719x'
==> WARNING: Possibly missing firmware for module: 'bfa'
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
-> Running build hook: [encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
-> Running build hook: [filesystems]
-> Running build hook: [resume]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing EFI binaries...
Generating EFI bundles....
File has already been signed /boot/EFI/arch/fwupdx64.efi
File has already been signed /boot/vmlinuz-linux
==> Post processing done
(12/15) Reloading system bus configuration...
(13/15) Updating icon theme caches...
(14/15) Updating the desktop file MIME type cache...
(15/15) Signing EFI binaries...
Generating EFI bundles....
File has already been signed /boot/EFI/arch/fwupdx64.efi
File has already been signed /boot/vmlinuz-linuxEven though this is not really a big issue, I was wondering if there is an easy way to streamline this. Thank you in advance!
Offline