From 37cc4fb453b9f9d069316883cd5b9ad66cb34871 Mon Sep 17 00:00:00 2001
From: Klaus Zipfel <zipfel@iqo.uni-hannover.de>
Date: Fri, 24 Oct 2025 17:03:03 +0200
Subject: [PATCH] enroll-keys: Ensure exported .auth files are signed by the
 correct keys

Fixes: #440
---
 cmd/sbctl/enroll-keys.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/cmd/sbctl/enroll-keys.go b/cmd/sbctl/enroll-keys.go
index 9ed8fd0..e712504 100644
--- a/cmd/sbctl/enroll-keys.go
+++ b/cmd/sbctl/enroll-keys.go
@@ -85,7 +85,15 @@ var (
 )
 
 func SignSiglist(k *backend.KeyHierarchy, e efivar.Efivar, sigdb efivar.Marshallable) ([]byte, error) {
-	signer := k.GetKeyBackend(e)
+	var signer backend.KeyBackend
+	switch e {
+	case efivar.PK:
+		signer = k.GetKeyBackend(efivar.PK)
+	case efivar.KEK:
+		signer = k.GetKeyBackend(efivar.PK)
+	case efivar.Db:
+		signer = k.GetKeyBackend(efivar.KEK)
+	}
 	_, em, err := signature.SignEFIVariable(e, sigdb, signer.Signer(), signer.Certificate())
 	if err != nil {
 		return nil, err