you can just add the command to sign your `/boot` partition into `/etc/kerner.d/post-install/50-grub` file or make a new file order after > `50-grub` like `60-sign`

that's

in my case using sbctl with voidlinux full-disk encrypted I'm added `sbctl sign` to make sure it's signed every time grub update

`/etc/kerner.d/post-install/50-grub`

```

PKGNAME="$1"

VERSION="$2"

export ZPOOL_VDEV_NAME_PATH=YES

if command -v grub-mkconfig >/dev/null 2>&1; then

if [ -d $ROOTDIR/boot/grub ]; then

grub-mkconfig -o $ROOTDIR/boot/grub/grub.cfg

sbctl sign -s $ROOTDIR/boot/efi/EFI/void/grubx64.efi

sbctl verify

exit $?

fi

fi

exit 0

```

and then using `sbctl verify'

to make sure it's signed(it will printed after updated)