diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index a40aaae8..23dde70b 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -230,19 +230,24 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           oci: false
 
-      # - name: Secureboot Signature Confirmation
-      #   id: secureboot_confirm
-      #   shell: bash
-      #   run: |
-      #     sudo apt-get update && sudo apt-get install -y sbsigntool curl openssl
-      #     curl -Lo /tmp/kernel-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
-      #     curl -Lo /tmp/akmods-signing.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
-      #     openssl x509 -in /tmp/kernel-signing.der -out /tmp/kernel-signing.crt
-      #     openssl x509 -in /tmp/akmods-signing.der -out /tmp/akmods-signing.crt
-      #     /usr/bin/podman run --rm --entrypoint /bin/bash "${{ steps.build_image.outputs.image }}":"$(echo '${{ steps.build_image.outputs.tags }}' | cut -d ' ' -f 1)" -c "cat /usr/lib/modules/*/vmlinuz" > /tmp/extracted-kernel
-      #     sbverify --list /tmp/extracted-kernel
-      #     sbverify --cert /tmp/kernel-signing.crt /tmp/extracted-kernel || exit 1
-      #     sbverify --cert /tmp/akmods-signing.crt /tmp/extracted-kernel || exit 1
+      - name: Check Secureboot
+        shell: bash
+        run: |
+          set -x
+          if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) ]]; then
+            sudo apt update
+            sudo apt install sbsigntool curl openssl
+          fi
+          podman run -d --rm --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sleep 1000
+          podman cp ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1):/usr/lib/modules/${{ env.kernel_release }}/vmlinuz .
+          podman rm -f ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1)
+          sbverify --list vmlinuz
+          curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der
+          curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der
+          openssl x509 -in kernel-sign.der -out kernel-sign.crt
+          openssl x509 -in akmods.der -out akmods.crt
+          sbverify --cert kernel-sign.crt vmlinuz || exit 1
+          sbverify --cert akmods.crt vmlinuz || exit 1
 
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
       # https://github.com/macbre/push-to-ghcr/issues/12
diff --git a/install.sh b/install.sh
index 0ff07464..7590e887 100755
--- a/install.sh
+++ b/install.sh
@@ -21,13 +21,25 @@ find "$RPMS_DIR"/{config,akmods/ublue-os} -type f -name "*.rpm" -print0 | xargs
 rpm-ostree cliwrap install-to-root /
 if [[ "${KERNEL_VERSION}" == "${QUALIFIED_KERNEL}" ]]; then
     echo "Installing signed kernel from kernel-cache."
-    tmpdir="$(mktemp -d)"
-    rpm2cpio "$RPMS_DIR"/kernel/kernel-core-*.rpm | ( cd "$tmpdir"; cpio -idmv )
-    cp "$tmpdir"/lib/modules/*/vmlinuz /usr/lib/modules/*/vmlinuz
+    rpm-ostree override remove \
+        --install=zstd \
+        kernel \
+        kernel-core \
+        kernel-modules \
+        kernel-modules-core \
+        kernel-modules-extra
+    rpm-ostree override replace \
+        --experimental \
+        "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \
+        "$RPMS_DIR"/kernel/kernel-core-*.rpm \
+        "$RPMS_DIR"/kernel/kernel-modules-*.rpm \
+        --remove=kernel-debug-core \
+        --remove=kernel-debug-modules-core
 else
     echo "Install kernel version ${KERNEL_VERSION} from kernel-cache."
     rpm-ostree override replace \
         --experimental \
+        --install=zstd \
         "$RPMS_DIR"/kernel/kernel-[0-9]*.rpm \
         "$RPMS_DIR"/kernel/kernel-core-*.rpm \
         "$RPMS_DIR"/kernel/kernel-modules-*.rpm