I know that this topic was discussed many times in different places, but can we have one more look on it and maybe think of something?
In other places on the forum frequent answers was - do it yourself thru Arch Wiki, but this is not the way in Manjaro works for me and many other people I assume.
I really appreciate how Manjaro just works out from the box and have this nice configuration tools for drivers and kernels, and also Pamac. This is work of love and I am thankful to developers who made it possible!
What I propose is to at least discuss on what can be done for some initial support for it in a way that make it seamless experiences for the user.
Initial solution, how I see it, is to sign boot loader with Manjaro keys, and maybe add some simple way for users to enroll this keys on their system.
If I understand correctly, on fully encrypted system your kernel is laying on encrypted partition and only boot loader remains unencrypted, so maybe it is enough (for security as well as initial support effort) to sign only boot loader?
And, if I understand it correctly, for manual (arch wiki) way, user must manually sign boot loader every time its updated, what brings a lot of possible problems related to automated Manjaro update mechanism?
We should eat elephant by pieces, if making signing infrastructure is to complicated in the moment, maybe just ability to configure boot loader signing, so end users can add/generate their own keys for boot loader signing. And default Manjaro key can be added afterwards?