`sbctl verify` does not show `/boot/vmlinuz-linux` but it needs to be signed

[L12C]

After installing Arch according to https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB) and using --modules="tpm" --disable-shim-lock with the grub-install command (as instructed in the arch wiki article for GRUB), sbctl verify only initially listed /efi/EFI/GRUB/grubx64.efi as needing signing. Without knowing too much of the inner workings, I assume this is a guess at which files need to be signed for the system to boot, but after completing the installation with only that file signed, I could boot GRUB in secure boot mode, but got You need to load the kernel first when trying to continue past it. From several threads I gathered that /boot/vmlinuz-linux likely needed to be signed as well, and doing so fixed the boot issue, but I wonder why sbctl verify didn't include it from the beginning.

[Foxboron]

sbctl only checks your EFI system partition, which is probably mounted too /efi. /boot containing EFI files you are using to boot is a wart that relies on grubs ability to read different filesystems beyond FAT32.

I'm probably not going to add support to check directories beyond the ESP.

[Foxboron]

If there isn't anything else I'll close this :)