Inokinoki · Inokinoki · Nov 5, 2025 · Nov 5, 2025 · Nov 5, 2025 · Feb 11, 2026
diff --git a/.github/workflows/cmake-linux-amd64-appimage.yml b/.github/workflows/cmake-linux-amd64-appimage.yml
@@ -22,19 +22,9 @@ jobs:
           - os: ubuntu-22.04
             qt-ver: 5
             qt-pkg: qtbase5-dev qttools5-dev
-            use-pkexec-launcher: OFF
-          - os: ubuntu-22.04
-            qt-ver: 5
-            qt-pkg: qtbase5-dev qttools5-dev
-            use-pkexec-launcher: ON
-          - os: ubuntu-24.04
-            qt-ver: 6
-            qt-pkg: qt6-base-dev qt6-tools-dev
-            use-pkexec-launcher: OFF
           - os: ubuntu-24.04
             qt-ver: 6
             qt-pkg: qt6-base-dev qt6-tools-dev
-            use-pkexec-launcher: ON
     runs-on: ${{matrix.os}}
 
     steps:
@@ -56,7 +46,7 @@ jobs:
         run: |
           cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} \
             -DCMAKE_INSTALL_PREFIX=/usr -DENABLE_PACKAGING=ON \
-            -DUSE_PKEXEC_LAUNCHER=${{matrix.use-pkexec-launcher}} \
+            -DUSE_PKEXEC_LAUNCHER=ON \
             -DBUILD_CLI_UTILITY=ON
 
       - name: Build
@@ -89,17 +79,15 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           # Artifact name
-          name: QEFI Entry Manager x86_64 AppImage Qt${{matrix.qt-ver}} pkexec-launcher-${{matrix.use-pkexec-launcher}}
+          name: QEFI Entry Manager x86_64 AppImage Qt${{matrix.qt-ver}}
           # A file, directory or wildcard pattern that describes what to upload
           path: ${{github.workspace}}/build/EFI_Entry_Manager-x86_64-Qt${{matrix.qt-ver}}.AppImage
 
       - name: Packaging Debian
-        if: ${{ matrix.use-pkexec-launcher == 'ON' }}
         working-directory: ${{github.workspace}}/build
         run: cpack -G DEB
 
       - name: Upload a Build Artifact
-        if: ${{ matrix.use-pkexec-launcher == 'ON' }}
         uses: actions/upload-artifact@v4
         with:
           # Artifact name

diff --git a/qefientrymanager-launcher b/qefientrymanager-launcher
@@ -1,16 +1,51 @@
 #!/usr/bin/env bash
 
-env_array=(
-	"XDG_CURRENT_DESKTOP=${XDG_CURRENT_DESKTOP}"
-	"QT_QPA_PLATFORM=${QT_QPA_PLATFORM}"
-	"QT_QPA_PLATFORMTHEME=${QT_QPA_PLATFORMTHEME}"
-	"QT_STYLE_OVERRIDE=${QT_STYLE_OVERRIDE}"
-)
+# Resolve the bundled binary path first; avoid relying on PATH after pkexec
+launcher_path="$(readlink -f "${BASH_SOURCE[0]}")"
+launcher_dir="$(dirname "${launcher_path}")"
+target="${launcher_dir}/QEFIEntryManager"
+if [[ ! -x "${target}" ]]; then
+	target="QEFIEntryManager"
+fi
+
+env_array=()
+append_env() {
+	local key="$1"
+	local value="${!key-}"
+	if [[ -n "${value}" ]]; then
+		env_array+=("${key}=${value}")
+	fi
+}
 
-if [[ -z "${WAYLAND_DISPLAY}" ]]; then
-	env_array+=("DISPLAY=${DISPLAY}" "XAUTHORITY=${XAUTHORITY}")
+# Preserve the minimum GUI/session vars that pkexec strips
+append_env XDG_CURRENT_DESKTOP
+append_env XDG_SESSION_TYPE
+append_env QT_QPA_PLATFORM
+append_env QT_QPA_PLATFORMTHEME
+append_env QT_STYLE_OVERRIDE
+append_env DBUS_SESSION_BUS_ADDRESS
+
+if [[ -n "${WAYLAND_DISPLAY:-}" ]]; then
+	# Wayland: pass combined runtime dir and display socket
+    env_array+=("WAYLAND_DISPLAY=${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}")
 else
-	env_array+=("WAYLAND_DISPLAY=${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}")
+	# X11: pass display and auth cookie
+	append_env DISPLAY
+	append_env XAUTHORITY
+fi
+
+if [[ "${EUID}" -eq 0 ]]; then
+	# If already root, run directly without re-exec
+	exec "${target}" "$@"
+fi
+
+if [[ -n "${APPIMAGE:-}" && -x "${APPIMAGE}" ]]; then
+	# AppImages mount their SquashFS via FUSE under the calling user.
+	# After pkexec, root often cannot read that user FUSE mount unless
+	# allow_root/allow_other is set, so we re-exec the AppImage as root
+	# and force extract+run to bypass the mount.
+	exec pkexec env "${env_array[@]}" APPIMAGE_EXTRACT_AND_RUN=1 "${APPIMAGE}" "$@"
 fi
 
-exec pkexec env "${env_array[@]}" QEFIEntryManager "$@"
+# Fallback for non-AppImage installs
+exec pkexec env "${env_array[@]}" "${target}" "$@"