Why is systemd-boot not signed?

Why is systemd-boot not signed at the moment? The package info reads:

This package contains the unsigned version. Install systemd-boot instead to get
the version that works with Secure Boot.

But there isn’t really a systemd-boot package.

If I understand correcly, to use sd-boot with Secure Boot, the only missing piece is just signing the sd-boot with Fedora key[1], which a user can’t do.

The alternative is ripping out the entire Secure Boot key chain, replace with your own, sign sd-boot and kernel etc. with your key[2] [3], which is just too much for me atm…


  1. https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/EBCIGKI4EC5KNLKRYFCGFSIQDEN5Y2M5/ ↩︎

  2. ↩︎

  3. ↩︎

Found this[1]. Seems to be backend overhaul.
Though I don’t quite get why not just sign it the same way as grub, then improve backend and update it later. It already took 2 years…


  1. https://pagure.io/releng/issue/10765 ↩︎

1 Like

I misspoke about the alternative. It might not be as tedious as it sounds.

Added secure-boot, systemd-boot