pacman hook security question

[lostinthemath]

I'm fairly new to Arch and sbctl, and this is just a very remote possibility, but I was looking at the pacman hook and the source code, and I was wondering if it would be possible for an attacker to replace one of the files in the (necessarily-unencrypted) ESP with a malicious one of the same name that's already in the 'enrolled file database' of sbctl, which would then be signed by sign-all the next time the pacman hook triggered? I'm not sure how helpful that would be for the attacker, all things considered, but it seems like something that could be done. I'm imagining someone with occasional physical access to at least the boot drive of a system that's still in the possession of the legitimate owner. In other words, does the automatic signing of EFI binaries in the vulnerable ESP break the chain of trust if you don't first verify their integrity based on something like a checksum from whoever put the file there, be it pacman/mkinitcpio/etc.?

[lostinthemath]

Maybe change to use NeedsTargets, and use sign after checking that the target(s) are in the enrolled files db?

[Foxboron]

See the discussion here #228

[lostinthemath]

Ah! I'm sorry, I did search to see if this question had been asked before but missed that thread. Thank you for your response and for your excellent work on this project, it's far-and-away the most streamlined method for setting up SB with custom keys.