diff --git a/src/snap-pac-uki.fish b/src/snap-pac-uki.fish
index f919539..9bcc178 100755
--- a/src/snap-pac-uki.fish
+++ b/src/snap-pac-uki.fish
@@ -9,6 +9,8 @@ function check_deps -d "checks if all dependencies are available"
     set -l dependencies \
         "efibootmgr" \
         "jq" \
+        "rg" \
+        "sbsign" \
         "sed" \
         "snapper" \
 
@@ -31,6 +33,9 @@ function config -d "sets some configuration variables"
     set -g CFG_SNAPSHOT_PATH "/.snapshots"
     set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
     set -g CFG_UKI_DIR "/efi/EFI/Linux"
+    set -g CFG_SECUREBOOT "yes"
+    set -g CFG_SECUREBOOT_KEY "/etc/secureboot/keys/db/db.key"
+    set -g CFG_SECUREBOOT_CERT "/etc/secureboot/keys/db/db.crt"
 end
 
 function find_tasks -d "finds out what the program needs to do"
@@ -70,7 +75,17 @@ function create_uki -d "creates a new uki" -a variant id
         --add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
         --add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
         --add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \
-        "$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi"
+        "$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi.unsigned"
+
+    # sign
+    if test "$CFG_SECUREBOOT" = "yes"
+        sbsign --key $CFG_SECUREBOOT_KEY \
+            --cert $CFG_SECUREBOOT_CERT \
+            --output "$bd/arch-linux$fallback$snid.efi" \
+            "$bd/arch-linux$fallback$snid.efi.unsigned"
+    else # otherwise move unsigned efi to location
+        mv "$bd/arch-linux$fallback$snid.efi.unsigned" "$bd/arch-linux$fallback$snid.efi"
+    end
 end
 
 function create_snapshot_uki -d "creates an uki for a snapshot" -a id