Patch fo the mkinitcpio script to sign kernels and initramfs images after compression.
To apply the patch the included hook can be used. Just put the patch in /root
and the hook in /etc/pacman.d/hooks/
and reinstall the mkinitcpio package.
Make sure to add NoUpgrade = etc/mkinitcpio.conf
(no initial slash) to /etc/pacman.conf
to guard yourself from creating an image from the config that got overwritten by the package default.
Evidently, this only works when you have generated a keypair in /root/keys
and included a passphrase there.
-
follow the instructions from Fedja Beader's guide GRUB secure boot with GPG:
The security of this setup depends on a good GRUB password as GPG signature checking can be disabled through the interactive console:
set check_signatures=no
-
double check that
/boot/boot.key
is trusted (that it doesn't require a signature) -
prepare yourself for when you're unable to boot because of unmatching signatures. Write down your super strong GRUB passphrase to be able to access the command line so that you can
unset check_signatures
if they don't match. -
if the patch succeeded, manually run mkinitcpio and check with
gpg --homedir /root/keys --verify /boot/vmlinuz-linux.sig