Hello #systemd bubble! Does anyone know why `ukify genkey` generates a signing key/cert pair (AFAICT that corresponds to the #EFI #SecureBoot DB Key/Cert), and even references sd-boot's ability to enroll them, but sd-boot requires .auth files for KEK, PK and DB (I mean, it can't just invent them :'-D)?

So, the only way to do that is to either manually generate KEK, PK and then sign them with the DB key and generate the .auth files, or to let a tool like #sbctl or whatever generate them and try to feed those into ukify (which internally uses #sbsigntool). But both seem to be a bit more of a hassle than needed?

#UEFI