> We plan on streamlining this as much as possible, but so far this has not happened yet.

Probably integrating something like sbctl (https://github.com/Foxboron/sbctl#sbctl---secure-boot-manage...) would do the trick, it's making the whole signing and key management dance easy.

Seems to already work together with limine on NixOS too: https://search.nixos.org/options?channel=25.11&query=sbctl#s...