diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 2a0f41716..caa76845f 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2692,12 +2692,13 @@ def make_image(
         cmdline += ["--key-file", workdir(context.config.passphrase)]
         options += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
     if context.config.verity_key:
-        key = workdir(context.config.verity_key) if context.config.verity_key.exists() else context.config.verity_key
-        cmdline += ["--private-key", str(key)]
         if context.config.verity_key_source.type != KeySourceType.file:
             cmdline += ["--private-key-source", str(context.config.verity_key_source)]
         if context.config.verity_key.exists():
+            cmdline += ["--private-key", workdir(context.config.verity_key)]
             options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
+        else:
+            cmdline += ["--private-key", context.config.verity_key]
     if context.config.verity_certificate:
         cmdline += ["--certificate", workdir(context.config.verity_certificate)]
         options += ["--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate)]
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 6454a8766..4e40a4950 100644
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -506,7 +506,6 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
     ):
         cmd: list[PathString] = [
             "sbsign",
-            "--key", workdir(context.config.secure_boot_key),
             "--cert", workdir(context.config.secure_boot_certificate),
             "--output", workdir(output),
         ]
@@ -518,7 +517,10 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         if context.config.secure_boot_key_source.type == KeySourceType.engine:
             cmd += ["--engine", context.config.secure_boot_key_source.source]
         if context.config.secure_boot_key.exists():
+            cmd += ["--key", workdir(context.config.secure_boot_key)]
             options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
+        else:
+            cmd += ["--key", workdir(context.config.secure_boot_key)]
         cmd += [workdir(input)]
         run(
             cmd,
@@ -732,7 +734,6 @@ def install_systemd_boot(context: Context) -> None:
                         "sbvarsign",
                         "--attr",
                             "NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS",
-                        "--key", workdir(context.config.secure_boot_key),
                         "--cert", workdir(context.config.secure_boot_certificate),
                         "--output", workdir(keys / f"{db}.auth"),
                     ]
@@ -746,9 +747,12 @@ def install_systemd_boot(context: Context) -> None:
                     if context.config.secure_boot_key_source.type == KeySourceType.engine:
                         cmd += ["--engine", context.config.secure_boot_key_source.source]
                     if context.config.secure_boot_key.exists():
+                        cmd += ["--key", workdir(context.config.secure_boot_key),]
                         options += [
                             "--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key),
                         ]
+                    else:
+                        cmd += ["--key", context.config.secure_boot_key]
                     cmd += [db, workdir(context.workspace / "mkosi.esl")]
                     run(
                         cmd,