archboot/usr/lib/initcpio/install/archboot_secure_boot

#!/usr/bin/env bash
# Created by Tobias Powalowski <tpowa@archlinux.org>

build ()
{
    # https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
    _RUNNING_ARCH="$(uname -m)"
    apps="openssl cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
          hash-to-efi-sig-list sig-list-to-certs cert-to-efi-sig-list sign-efi-sig-list sbattach sbkeysync \
          sbsiglist sbsign sbvarsign sbverify mokutil"
    add_file "/etc/ssl/openssl.cnf"
    for i in $apps; do
        add_binary "$i"
    done
    # add mkkeys.sh, 
    # curl -s -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
    # modiiied to use uuidgen instead of python
    add_file "/usr/bin/archboot-mkkeys.sh" "/usr/bin/mkkeys.sh"
    # add efitools files
    [[ "${_RUNNING_ARCH}" == "x86_64" ]] && add_file "/usr/share/efitools/efi/PreLoader.efi"
    add_file "/usr/share/efitools/efi/HashTool.efi"
    add_file "/usr/share/efitools/efi/KeyTool.efi"
    # add shim signed files from fedora
    _SHIM_URL="https://pkgbuild.com/~tpowa/archboot-helper/fedora-shim"
    _SHIM=$(mktemp -d /var/tmp/shim.XXXX)
    if [[ "${_RUNNING_ARCH}" == "x86_64" ]]; then
        for i in shimx64.efi mmx64.efi mmia32.efi shimia32.efi; do
            curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/"${i}"
            add_file "${_SHIM}/${i}" "/usr/share/archboot/fedora-shim/${i}"
        done
    fi
     if [[ "${_RUNNING_ARCH}" == "aarch64" ]]; then
             for i in mmaa64.efi shimaa64.efi; do
            curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/"${i}"
            add_file "${_SHIM}/${i}" "/usr/share/archboot/fedora-shim/${i}"
        done
    fi
    # add generate keys script
    add_file "/usr/bin/archboot-secureboot-keys.sh" "/usr/bin/secureboot-keys.sh"
}

help ()
{
cat<<HELPEOF
  This hook includes secure boot tools on an archboot image.
HELPEOF
}