mikaeldui · December 22, 2025 17:41 · Dec 6, 2025 · Dec 6, 2025 · Dec 6, 2025 · Aug 4, 2025
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -7,7 +7,7 @@ First, make sure you have Secure Boot with `mokutil --sb-state`.
 
 *Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didn't want to wipe my Secure Boot keys.*
 
-Need help? Feel free to leave a comment below, contact me (@mikaeldui) on the [CachyOS Discord](https://discord.com/servers/cachyos-862292009423470592), or [send me an email](mailto:ed184999-8363-4f40-85c5-a4a40a1d71dc@bolinder.uk).
+Need help? Feel free to leave a comment below, contact me (@mikaeldui) on the [CachyOS Discord](https://discord.com/servers/cachyos-862292009423470592), or [send me an email](mailto:ed184999-8363-4f40-85c5-a4a40a1d71dc@bolinder.uk?subject=CachyOS%20Kernel%20for%20Fedora%20with%20Secure%20Boot&body=Dear%20Mikael%2C%0A%0A%5Binsert%20question%5D).
 
 # Installing the CachyOS Kernel
 Full instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -7,6 +7,8 @@ First, make sure you have Secure Boot with `mokutil --sb-state`.
 
 *Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didn't want to wipe my Secure Boot keys.*
 
+Need help? Feel free to leave a comment below, contact me (@mikaeldui) on the [CachyOS Discord](https://discord.com/servers/cachyos-862292009423470592), or [send me an email](mailto:ed184999-8363-4f40-85c5-a4a40a1d71dc@bolinder.uk).
+
 # Installing the CachyOS Kernel
 Full instructions at https://github.com/CachyOS/copr-linux-cachyos
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -24,21 +24,32 @@ We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
 *Based on general kernel signing procedures for [Fedora](https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/) and [RHEL](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel#generating-a-public-and-private-key-pair_signing-a-kernel-and-modules-for-secure-boot).*
 
 ```bash
+# Install required packages
 sudo dnf install pesign openssl kernel-devel mokutil keyutils
+
+# Allow our user to sign kernels
 sudo echo "$USER" | sudo tee -a /etc/pesign/users
 sudo /usr/libexec/pesign/pesign-authorize
+
+# Generate a certificate to sign the kernel with
 openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
  -outform DER -out "cert.der" -nodes -days 36500 \
  -subj "/CN=CachyOS Secure Boot/"
 openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
 sudo certutil -A -i cert.der -n "CachyOS Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
+
+# Import the certificate
 sudo pk12util -i key.p12 -d /etc/pki/pesign
 sudo mokutil --import "cert.der"
+
+# Sign the kernel, replace "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with the current version.
 cd /boot
 sudo pesign --certificate 'CachyOS Secure Boot' \
  --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
  --sign \
  --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
+
+# Manually replace the unsigned kernel with the signed one (pesign can't overwrite files right now).
 sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64
 ```
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -79,7 +79,7 @@ echo "Signing $KERNEL_IMAGE..."
 pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
 mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 ```
-3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
+3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/00-signing ; sudo chmod u+rx /etc/kernel/postinst.d/00-signing`
 
 ## Fix default kernel after updates
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -25,7 +25,7 @@ We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
 
 ```bash
 sudo dnf install pesign openssl kernel-devel mokutil keyutils
-sudo echo "$USER" >> /etc/pesign/users
+sudo echo "$USER" | sudo tee -a /etc/pesign/users
 sudo /usr/libexec/pesign/pesign-authorize
 openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
  -outform DER -out "cert.der" -nodes -days 36500 \

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -92,6 +92,6 @@ Whenever you receive an update to the official Fedora kernel it will replace the
 
 set -e
 
-grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | sort -V | tail -1)
+grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachy | sort -V | tail -1)
 ```
 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default`
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -76,8 +76,8 @@ fi
 
 echo "Signing $KERNEL_IMAGE..."
 
-sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
-sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
+pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
+mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 ```
 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -8,15 +8,15 @@ First, make sure you have Secure Boot with `mokutil --sb-state`.
 *Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didn't want to wipe my Secure Boot keys.*
 
 # Installing the CachyOS Kernel
-Instructions at https://github.com/CachyOS/copr-linux-cachyos
+Full instructions at https://github.com/CachyOS/copr-linux-cachyos
 
 1. Check your CPU support `/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)"`, my CPU supports v2, v3 and v4.
 2. Enable a suitable repo: `sudo dnf copr enable bieszczaders/kernel-cachyos`.
 3. Install suitable kernel: `sudo dnf install kernel-cachyos kernel-cachyos-devel-matched`.
 4. Let the kernel load modules: `sudo setsebool -P domain_kernel_load_modules on`.
 5. Done!
 
-If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot, don't worry.
+If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot. Don't worry, you didn't break anything.
 
 # Signing the CachyOS Kernel
 We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
@@ -29,21 +29,21 @@ sudo echo "$USER" >> /etc/pesign/users
 sudo /usr/libexec/pesign/pesign-authorize
 openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
  -outform DER -out "cert.der" -nodes -days 36500 \
- -subj "/CN=mikaeldui Secure Boot/"
+ -subj "/CN=CachyOS Secure Boot/"
 openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
-sudo certutil -A -i cert.der -n "mikaeldui Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
+sudo certutil -A -i cert.der -n "CachyOS Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
 sudo pk12util -i key.p12 -d /etc/pki/pesign
 sudo mokutil --import "cert.der"
 cd /boot
-sudo pesign --certificate 'mikaeldui Secure Boot' \
+sudo pesign --certificate 'CachyOS Secure Boot' \
  --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
  --sign \
  --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
 sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64
 ```
 
 And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678".
-Replace "mikaeldui Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
+Replace "CachyOS Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
 
 # Automatically signing kernel updates
 
@@ -57,7 +57,7 @@ Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled
 set -e
 
 KERNEL_IMAGE="$2"
-MOK_KEY_NICKNAME="mikaeldui Secure Boot"
+MOK_KEY_NICKNAME="CachyOS Secure Boot"
 
 if [ "$#" -ne "2" ] ; then
 echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
@@ -79,7 +79,7 @@ echo "Signing $KERNEL_IMAGE..."
 sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
 sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 ```
-3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
+3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
 
 ## Fix default kernel after updates
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -83,7 +83,7 @@ sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 
 ## Fix default kernel after updates
 
-Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update:
+Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as the default kernel. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update:
 
 1. Create and open `sudo nano /etc/kernel/postinst.d/99-default`
 2. Enter the following content:

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -5,7 +5,7 @@ Did you just install `kernel-cachyos` and got hit by `bad shim signature` when b
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
-*Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
+*Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didn't want to wipe my Secure Boot keys.*
 
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -5,7 +5,7 @@ Did you just install `kernel-cachyos` and got hit by `bad shim signature` when b
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
-*Note, there's a second way of doing this with [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
+*Note, there's a second way of doing this by using [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
 
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -5,7 +5,7 @@ Did you just install `kernel-cachyos` and got hit by `bad shim signature` when b
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
-*Note, theres a second way of doing this with [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
+*Note, there's a second way of doing this with [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
 
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -83,7 +83,7 @@ sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 
 ## Fix default kernel after updates
 
-Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS after each update:
+Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel, and another is to reset the default kernel to CachyOS after each update:
 
 1. Create and open `sudo nano /etc/kernel/postinst.d/99-default`
 2. Enter the following content:

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -83,7 +83,7 @@ sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 
 ## Fix default kernel after updates
 
-Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS on each update.
+Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS after each update:
 
 1. Create and open `sudo nano /etc/kernel/postinst.d/99-default`
 2. Enter the following content:

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -46,7 +46,6 @@ And reboot and choose enroll the key. The MOK password is only used once so I su
 Replace "mikaeldui Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
 
 # Automatically signing kernel updates
-Experimental: I haven't tested this yet, so I dont know if it works.
 
 Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates!
 
@@ -83,7 +82,6 @@ sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
 
 ## Fix default kernel after updates
-Experimental!
 
 Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS on each update.
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -21,6 +21,8 @@ If you reboot now you'll get the "bad shim signature" error and have to pick an
 # Signing the CachyOS Kernel
 We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
 
+*Based on general kernel signing procedures for [Fedora](https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/) and [RHEL](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel#generating-a-public-and-private-key-pair_signing-a-kernel-and-modules-for-secure-boot).*
+
 ```bash
 sudo dnf install pesign openssl kernel-devel mokutil keyutils
 sudo echo "$USER" >> /etc/pesign/users

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -5,7 +5,7 @@ Did you just install `kernel-cachyos` and got hit by `bad shim signature` when b
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
-*This guide shows an altenative method using `pesign` and `mokutil`. The [recommended `sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/) wasn't compatible with my setup.*
+*Note, theres a second way of doing this with [`sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/), but I didnt want to wipe my Secure Boot keys.*
 
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -92,6 +92,6 @@ Whenever you receive an update to the official Fedora kernel it will replace the
 
 set -e
 
-grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | tail -1)
+grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | sort -V | tail -1)
 ```
 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default`
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -43,7 +43,7 @@ sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.
 And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678".
 Replace "mikaeldui Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
 
-# Signing kernel updates
+# Automatically signing kernel updates
 Experimental: I haven't tested this yet, so I dont know if it works.
 
 Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates!
@@ -80,7 +80,7 @@ sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 ```
 3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
 
-## Default kernel after updates
+## Fix default kernel after updates
 Experimental!
 
 Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS on each update.

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -92,6 +92,6 @@ Whenever you receive an update to the official Fedora kernel it will replace the
 
 set -e
 
-grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos)
+grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos | tail -1)
 ```
 3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default`
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -94,4 +94,4 @@ set -e
 
 grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos)
 ```
-3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/99-default ; chmod u+rx /etc/kernel/postinst.d/99-default`
+3. Correct the permissions with: `sudo chown root:root /etc/kernel/postinst.d/99-default ; sudo chmod u+rx /etc/kernel/postinst.d/99-default`
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -79,3 +79,19 @@ sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out
 sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
 ```
 3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
+
+## Default kernel after updates
+Experimental!
+
+Whenever you receive an update to the official Fedora kernel it will replace the CachyOS kernel as default. One solution is to uninstall the official kernel and another could be to reset the default kernel to CachyOS on each update.
+
+1. Create and open `sudo nano /etc/kernel/postinst.d/99-default`
+2. Enter the following content:
+```bash
+#!/bin/sh
+
+set -e
+
+grubby --set-default=/boot/$(ls /boot | grep vmlinuz.*cachyos)
+```
+3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/99-default ; chmod u+rx /etc/kernel/postinst.d/99-default`
diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -46,7 +46,7 @@ Replace "mikaeldui Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with w
 # Signing kernel updates
 Experimental: I haven't tested this yet, so I dont know if it works.
 
-Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Lets make sure that it continues to work across updates!
+Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Let's make sure that it continues to work across updates!
 
 1. Create and open `sudo nano /etc/kernel/postinst.d/00-signing`
 2. Enter the following content:

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -5,7 +5,7 @@ Did you just install `kernel-cachyos` and got hit by `bad shim signature` when b
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
-*This guide shows an altenative method using `pesign` and `mokutil`. The [recommended `sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/) wasnt compatible with my setup.*
+*This guide shows an altenative method using `pesign` and `mokutil`. The [recommended `sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/) wasn't compatible with my setup.*
 
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -10,7 +10,7 @@ First, make sure you have Secure Boot with `mokutil --sb-state`.
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos
 
-1. Check your CPU support `/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)"`, my cpu supports v2, v3 and v4.
+1. Check your CPU support `/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)"`, my CPU supports v2, v3 and v4.
 2. Enable a suitable repo: `sudo dnf copr enable bieszczaders/kernel-cachyos`.
 3. Install suitable kernel: `sudo dnf install kernel-cachyos kernel-cachyos-devel-matched`.
 4. Let the kernel load modules: `sudo setsebool -P domain_kernel_load_modules on`.

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -1,12 +1,12 @@
 ![image](https://gist.github.com/user-attachments/assets/b241ca59-fc62-4d67-8251-0bf8560d3b0d)
 
 # CachyOS Kernel for Fedora with Secure Boot
-This guide shows an altenative method using `pesign` and `mokutil`. The recommended `sbctl` wasnt compatible with my setup.
-
 Did you just install `kernel-cachyos` and got hit by `bad shim signature` when booting? Me too. This is how I fixed it.
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.
 
+*This guide shows an altenative method using `pesign` and `mokutil`. The [recommended `sbctl`](https://wiki.cachyos.org/configuration/secure_boot_setup/) wasnt compatible with my setup.*
+
 # Installing the CachyOS Kernel
 Instructions at https://github.com/CachyOS/copr-linux-cachyos
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -1,6 +1,8 @@
 ![image](https://gist.github.com/user-attachments/assets/b241ca59-fc62-4d67-8251-0bf8560d3b0d)
 
 # CachyOS Kernel for Fedora with Secure Boot
+This guide shows an altenative method using `pesign` and `mokutil`. The recommended `sbctl` wasnt compatible with my setup.
+
 Did you just install `kernel-cachyos` and got hit by `bad shim signature` when booting? Me too. This is how I fixed it.
 
 First, make sure you have Secure Boot with `mokutil --sb-state`.

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -1,3 +1,5 @@
+![image](https://gist.github.com/user-attachments/assets/b241ca59-fc62-4d67-8251-0bf8560d3b0d)
+
 # CachyOS Kernel for Fedora with Secure Boot
 Did you just install `kernel-cachyos` and got hit by `bad shim signature` when booting? Me too. This is how I fixed it.
 

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -29,7 +29,6 @@ sudo certutil -A -i cert.der -n "mikaeldui Secure Boot" -d /etc/pki/pesign/ -t "
 sudo pk12util -i key.p12 -d /etc/pki/pesign
 sudo mokutil --import "cert.der"
 cd /boot
-sudo dnf reinstall kernel-cachyos-core
 sudo pesign --certificate 'mikaeldui Secure Boot' \
  --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
  --sign \

diff --git a/CachyOS Kernel for Fedora with Secure Boot.md b/CachyOS Kernel for Fedora with Secure Boot.md
@@ -0,0 +1,78 @@
+# CachyOS Kernel for Fedora with Secure Boot
+Did you just install `kernel-cachyos` and got hit by `bad shim signature` when booting? Me too. This is how I fixed it.
+
+First, make sure you have Secure Boot with `mokutil --sb-state`.
+
+# Installing the CachyOS Kernel
+Instructions at https://github.com/CachyOS/copr-linux-cachyos
+
+1. Check your CPU support `/lib64/ld-linux-x86-64.so.2 --help | grep "(supported, searched)"`, my cpu supports v2, v3 and v4.
+2. Enable a suitable repo: `sudo dnf copr enable bieszczaders/kernel-cachyos`.
+3. Install suitable kernel: `sudo dnf install kernel-cachyos kernel-cachyos-devel-matched`.
+4. Let the kernel load modules: `sudo setsebool -P domain_kernel_load_modules on`.
+5. Done!
+
+If you reboot now you'll get the "bad shim signature" error and have to pick an official Fedora kernel to boot, don't worry.
+
+# Signing the CachyOS Kernel
+We can self-sign the kernel by adding our key as a MOK (Machine Owner Key).
+
+```bash
+sudo dnf install pesign openssl kernel-devel mokutil keyutils
+sudo echo "$USER" >> /etc/pesign/users
+sudo /usr/libexec/pesign/pesign-authorize
+openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
+ -outform DER -out "cert.der" -nodes -days 36500 \
+ -subj "/CN=mikaeldui Secure Boot/"
+openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
+sudo certutil -A -i cert.der -n "mikaeldui Secure Boot" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
+sudo pk12util -i key.p12 -d /etc/pki/pesign
+sudo mokutil --import "cert.der"
+cd /boot
+sudo dnf reinstall kernel-cachyos-core
+sudo pesign --certificate 'mikaeldui Secure Boot' \
+ --in vmlinuz-6.14.6-cachyos1.fc42.x86_64 \
+ --sign \
+ --out vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed
+sudo mv vmlinuz-6.14.6-cachyos1.fc42.x86_64.signed vmlinuz-6.14.6-cachyos1.fc42.x86_64
+```
+
+And reboot and choose enroll the key. The MOK password is only used once so I suggest using "12345678".
+Replace "mikaeldui Secure Boot" and "vmlinuz-6.14.6-cachyos1.fc42.x86_64" with whatever applies in your case.
+
+# Signing kernel updates
+Experimental: I haven't tested this yet, so I dont know if it works.
+
+Whooray! You can now boot the CachyOS Kernel for Fedora with Secure Boot enabled! Lets make sure that it continues to work across updates!
+
+1. Create and open `sudo nano /etc/kernel/postinst.d/00-signing`
+2. Enter the following content:
+```bash
+#!/bin/sh
+
+set -e
+
+KERNEL_IMAGE="$2"
+MOK_KEY_NICKNAME="mikaeldui Secure Boot"
+
+if [ "$#" -ne "2" ] ; then
+echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
+exit 1
+fi
+
+if [ ! -x "$(command -v pesign)" ] ; then
+echo "pesign not executable. Bailing." >&2
+exit 1
+fi
+
+if [ ! -w "$KERNEL_IMAGE" ] ; then
+echo "Kernel image $KERNEL_IMAGE is not writable." >&2
+exit 1
+fi
+
+echo "Signing $KERNEL_IMAGE..."
+
+sudo pesign --certificate "$MOK_KEY_NICKNAME" --in "$KERNEL_IMAGE" --sign --out "$KERNEL_IMAGE.signed"
+sudo mv "$KERNEL_IMAGE.signed" "$KERNEL_IMAGE"
+```
+3. Correct the permissions with: `chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing`
No results found