diff --git a/lib/make-sysext.nix b/lib/make-sysext.nix
index 2541e3d..c94227b 100644
--- a/lib/make-sysext.nix
+++ b/lib/make-sysext.nix
@@ -81,7 +81,11 @@ runCommand name
     find tree -type d -exec chmod 0755 {} \;
     mkfs.erofs --all-root $name.raw tree/
     veritysetup format --root-hash-file $name.roothash $name.raw $name.verity
-    #TODO: pcks7 signature?
+    # TODO: pcks7 signature
+    # openssl smime -sign -nocerts -noattr -binary -in ${name}.roothash \
+    #   -inkey key.pem -signer cert.pem -outform der -out ${name}.roothash.p7s
     rm -rf tree
+    sha256sum * > SHA256SUMS
+    # TODO: add gpg signature
     popd
   ''
diff --git a/pkgs/openssl/default.nix b/pkgs/openssl/default.nix
index 137176d..0e1f742 100644
--- a/pkgs/openssl/default.nix
+++ b/pkgs/openssl/default.nix
@@ -145,6 +145,7 @@ stdenv.mkDerivation rec {
 
     installPhase = ''
       make DESTDIR=$out install
+      rm -rf $out/etc/ssl/*.dist $out/etc/ssl/misc
     '';
 
     enableParallelBuilding = true;