Sign kernel with sbctl to dual boot with windows

This is more like a "note to self" since most of the commands can be found at the projects github page .

Start by installing the program, in my case I use gentoo so:

~ # emerge sbctl

reboot to bios enable secure boot and setup mode, boot back to linux and open a terminal;

~ # sbctl status

Installed: ✗ sbctl is not installed

Setup Mode: ✗ Enabled

Secure Boot: ✗ Disabled

Vendor Keys: none

~ # sbctl create-keys

Created Owner UUID 234k3cgg-df6y-403b-2322-j323c45669k0

Creating secure boot keys...✓ 

Secure boot keys created!

to be able to dual boot with windows and have bitlocker enabled I have to enroll the keys with the microsoft ones by issuing

~ # sbctl enroll-keys --microsoft

Enrolling keys to EFI variables...

With vendor keys from microsoft...✓ 

Enrolled keys to the EFI variables!

check the status

~ # sbctl status

Installed: ✓ sbctl is installed

Owner GUID: 234k3cgg-df6y-403b-2322-j323c45669k0

Setup Mode: ✗ Enabled

Secure Boot: ✗ Disabled

Vendor Keys: microsoft

find the files to sign

~ # sbctl verify

Verifying file database and EFI images in /boot...

✗ /boot/EFI/BOOT/BOOTX64.EFI is not signed

✗ /boot/EFI/systemd/systemd-bootx64.efi is not signed

✗ /boot/vmlinuz-6.5.4-cardgee-x86_64 is not signed

and finally sign them with

~ # sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI

✓ Signed /boot/EFI/BOOT/BOOTX64.EFI

~ # sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi

✓ Signed /boot/EFI/systemd/systemd-bootx64.efi

~ # sbctl sign -s /boot/vmlinuz-6.5.4-cardgee-x86_64

✓ Signed /boot/vmlinuz-6.5.4-cardgee-x86_64

~ # reboot!!!