Issue with Re-signing Limine EFI File After Enrolling Config

[Zesko]

I would like to report an issue with the re-signing process of a Limine EFI file after enrolling the config key. When trying to re-sign the file, I encounter an "Incorrect digest" error.

Steps to reproduce:

1. Sign the file using sbctl (work)

sbctl sign limine_x64.efi

2. But there is no option to reset the signature of this file.

3. Enroll a key of the Limine config into this EFI file to protect against modifying this config:

 limine enroll-config limine_x64.efi  $(b2sum /boot/efi/limine.conf)

4. Re-sign this file. (Not work)

sbctl sign limine_x64.efi

Output: Incorrect digest

Problem:

After enrolling the config key into the EFI file, I am unable to re-sign the file due to the "Incorrect digest" error.
It seems there is no option to reset the signature. I would like to know if there is a way to reset the signature or a workaround for this issue.

[Foxboron]

Why would you need to edit the file after signing it?

[Zesko]

In the case of a kernel update or installation (such as for initramfs or vmlinuz) without using UKI, this can cause a mismatch with the checksum inside the Limine EFI file, which is why the EFI file needs to be updated.

[Foxboron]

Why don't you just replace the binary?

[Zesko]

This is a trick that I also thought of before.

It would be inefficient for an automated process to check the source path of the original binary and replace the old file every time initramfs is built.

I just wanted to ask if it is possible to implement an option to reset the signature, nothing more. If it’s not possible, that’s fine with me. 🙂