BootC: How can I sign shim and kernel with own keys?

dirk1980ac · October 20, 2025, 10:13pm

Hello.

I made some bootc images for embedded systems and want to sign kernel and shim with my own keys. Consider the keys existing and the enrollment in UEFI as done. This works with a concentional system, only shim/kernel signed by me boot.

Now: How can I sign shim and kernel during a bootc container build.
I should probably better ask: Where the files are which I can sign?

/boot is empty in side the image, but the files should be anywhere anyways.

Thanks in advance.

Kind regards,

Dirk

siosm · November 4, 2025, 3:18pm

The kernel and the initrd are in /usr/lib/modules/<version>/ (vmlinuz & initramfs.img). Shim & GRUB are in /usr/lib/bootupd/updates/EFI.

You can re-sign them using pesign / sbsigntools in your Containerfile.

Topic		Replies	Views
Bad shim signature Ask Fedora f37 , grub	1	6952	November 23, 2022
How can I sign my self-built kernel with my own key? Ask Fedora	3	1054	September 15, 2021
Creating a custom kernel with a valid signature Ask Fedora f33	1	767	February 13, 2021
UEFI Secure boot sign for custom kernel modules help Ask Fedora	2	509	March 22, 2023
Signing custom kernel & modules failed Ask Fedora f35	9	2365	March 17, 2022

BootC: How can I sign shim and kernel with own keys?

Related topics