Comment 5 for bug 1892797

If you want this in, then one must adjust secureboot-db package service unit to ignore the error from sbkeysync, and/or declare the relevant error codes as normal.

This behaviour has been discussed on the grub_distros keybase channel, without any objections raised.

And no, seeing that package update / sbkeysync succeeded once, is not good enough. As one has to verify that on every boot. Becuase dbx variable store can be reverted/reset between each boot back to stock defaults. Thus a single success from sbkeysync, can only give a false sense of security.