diff --git a/mkosi.images/base/mkosi.build.chroot b/mkosi.images/base/mkosi.build.chroot
index ce3c8e2577..b59f339b11 100755
--- a/mkosi.images/base/mkosi.build.chroot
+++ b/mkosi.images/base/mkosi.build.chroot
@@ -8,7 +8,7 @@ set -e
 # We don't want to install our build of systemd in the base image, but use it as an extra tree for the
 # initrd and system images, so override DESTDIR to store it in the output directory so we can reference it as
 # an extra tree in the initrd and system image builds.
-DESTDIR="$OUTPUTDIR/systemd"
+export DESTDIR="$OUTPUTDIR/systemd"
 
 # If mkosi.builddir/ exists mkosi will set $BUILDDIR to it, let's then use it
 # as out-of-tree build dir. Otherwise, let's make up our own builddir.
@@ -169,15 +169,3 @@ if [ "$WITH_TESTS" = 1 ]; then
 fi
 
 ( set -x; meson install -C "$BUILDDIR" --quiet --no-rebuild --only-changed )
-
-# Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-if [ -d "${DESTDIR}/boot/loader" ]; then
-    addons_dir="${DESTDIR}/boot/loader/addons"
-elif [ -d "${DESTDIR}/efi/loader" ]; then
-    addons_dir="${DESTDIR}/efi/loader/addons"
-fi
-if [ -n "${addons_dir}" ]; then
-    mkdir -p "${addons_dir}"
-    ukify --secureboot-private-key mkosi.secure-boot.key --secureboot-certificate mkosi.secure-boot.crt --cmdline this_should_be_here -o "${addons_dir}/good.addon.efi"
-    ukify --cmdline this_should_not_be_here -o "${addons_dir}/bad.addon.efi"
-fi
diff --git a/mkosi.images/system/mkosi.conf.d/10-arch.conf b/mkosi.images/system/mkosi.conf.d/10-arch.conf
index e1a511c979..a3d008d10f 100644
--- a/mkosi.images/system/mkosi.conf.d/10-arch.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-arch.conf
@@ -23,5 +23,6 @@ Packages=
         python-pytest
         python3
         quota-tools
+        sbsigntools
         shadow
         vim
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
index 348bdb2992..d6e3f20222 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu.conf
@@ -19,6 +19,7 @@ Packages=
         netcat-openbsd
         openssh-server
         openssh-client
+        sbsigntool
         passwd
         policykit-1
         procps
diff --git a/mkosi.images/system/mkosi.conf.d/10-fedora.conf b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
index 5863f03b19..7554ad2dc3 100644
--- a/mkosi.images/system/mkosi.conf.d/10-fedora.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-fedora.conf
@@ -9,3 +9,4 @@ Packages=
         compsize
         f2fs-tools
         glibc-langpack-en
+        sbsigntools
diff --git a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
index 71434b4560..ffcb664224 100644
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse.conf
@@ -20,5 +20,6 @@ Packages=
         python3-psutil
         python3-pytest
         quota
+        sbsigntools
         shadow
         vim
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
index 9bb246263e..e0fcf30498 100755
--- a/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
+++ b/mkosi.images/system/mkosi.extra/usr/lib/systemd/mkosi-check-and-shutdown.sh
@@ -1,18 +1,18 @@
 #!/bin/bash -eux
 # SPDX-License-Identifier: LGPL-2.1-or-later
 
-# TODO: Figure out why this is failing
-systemctl reset-failed systemd-vconsole-setup.service
-
 systemctl --failed --no-legend | tee /failed-services
 
 # Check that secure boot keys were properly enrolled.
 if ! systemd-detect-virt --container; then
     cmp /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\1')
     cmp /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c <(printf '\6\0\0\0\0')
-    # TODO: Figure out why this is failing
-    # grep -q this_should_be_here /proc/cmdline
-    # grep -q this_should_not_be_here /proc/cmdline && exit 1
+
+    if command -v sbsign &>/dev/null; then
+        cat /proc/cmdline
+        grep -q this_should_be_here /proc/cmdline
+        (! grep -q this_should_not_be_here /proc/cmdline)
+    fi
 fi
 
 # Exit with non-zero EC if the /failed-services file is not empty (we have -e set)
diff --git a/mkosi.images/system/mkosi.postinst.chroot b/mkosi.images/system/mkosi.postinst.chroot
index 692242da38..330fa3b73e 100755
--- a/mkosi.images/system/mkosi.postinst.chroot
+++ b/mkosi.images/system/mkosi.postinst.chroot
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 # SPDX-License-Identifier: LGPL-2.1-or-later
 set -e
 
@@ -100,3 +100,12 @@ mkdir -p /usr/lib/tmpfiles.d
 cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF
 q	/home/testuser	0700	4711	4711
 EOF
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+    addons_dir=/efi/loader/addons
+    mkdir -p "$addons_dir"
+    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi