From 10e50f8c55a56fc4260e171239b5fbdbde1b433d Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Sun, 27 Jul 2025 19:28:06 +0100 Subject: [PATCH] shim: ensure binaries do not get installed to ESP with .signed suffix Binaries in the ESP need to be .efi, not .efi.signed, so truncate the filename if the source has it (like MOK in Debian). --- mkosi/bootloader.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py index 6f112b854..20bfb4921 100644 --- a/mkosi/bootloader.py +++ b/mkosi/bootloader.py @@ -585,6 +585,10 @@ def find_and_install_shim_binary( rel = p.relative_to(context.root) if (context.root / output).is_dir(): + # The ESP wants .efi files, not .efi.signed or .efi.signed.latest + if rel.suffix and rel.suffix != ".efi": + left_stem, _ = rel.name.split(".", maxsplit=1) + rel = rel.with_name(f"{left_stem}.efi") output /= rel.name log_step(f"Installing signed {name} EFI binary from /{rel} to /{output}") -- 2.47.2