This is a small mkinitcpio post hook that will trigger a signing process to the UKI provided using any inserted YubiKey and systemd-sbsign.
It will check if a YubiKey is inserted, if the provided slot has any private key in it and whether the UKI is already signed by the YubiKey, skipping the process if the result is not correct.
Will ask for a PIN when the slot is configured as such.
- Works with multiple YubiKeys (Will only sign with one)
Clone repository and move/cp the file to /etc/initcpio/post/. Make it executable.
$ mv uki-sign-yk /etc/initcpio/post/uki-sign-yk
$ chmod +x /etc/initcpio/post/uki-sign-ykRemember to set the correct db slot inside the script!
It will auto execute on every UKI generation when using mkinitcpio.
Test it by invocating the script directly or by rebuilding the UKI.
$ /path/to/uki-sign-yk /path/to/UKI.efi$ mkinitcpio -P