diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 8039ef8..54014a5 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,6 +14,7 @@ stages:
 .code-coverage:
     stage: build
     script:
+        - "export PATH=/usr/local/sbin:/usr/local/bin:${PATH}"
         - meson build -Db_coverage=true
         - cd build
         - ninja
diff --git a/ci_container/build.sh b/ci_container/build.sh
index 8667a08..c655a23 100755
--- a/ci_container/build.sh
+++ b/ci_container/build.sh
@@ -73,7 +73,7 @@ for i in "${images[@]}"; do
 	    vim; \
 	rm -rf /var/lib/apt/lists/*;'
 	buildah run "$ctr" /bin/sh -c \
-	    'pip3 install meson ninja; \
+	    'pip3 install --upgrade meson ninja; \
 	    rm -rf ~/.cache/pip/*;'
 	TARGET="${REGISTRY}/${BASENAME}-${name}:${TAG}"
 	IMAGEID=$(buildah commit --format docker "$ctr" "${IMAGENAME}")
diff --git a/src/libexim-encrypt-dlfunc-genkeys.c b/src/libexim-encrypt-dlfunc-genkeys.c
index d9f128b..735b385 100644
--- a/src/libexim-encrypt-dlfunc-genkeys.c
+++ b/src/libexim-encrypt-dlfunc-genkeys.c
@@ -4,36 +4,38 @@
 #include <ctype.h>
 #include <sodium.h>
 
-bool key_contains_zero(unsigned char *key, unsigned int keylen)
-{
-	bool has_zero = false;
-	for (unsigned int i = 0; i < keylen; i++) {
-		if (key[i] == 0) {
-			has_zero = true;
-		}
-	}
-	return has_zero;
-}
+//void
+//dump_key_as_c_code(FILE * f, const char *name, unsigned char *key,
+//		   unsigned int keylen)
+//{
+//	fprintf(f, "const unsigned char %s[] = { ", name);
+//	for (unsigned int i = 0; i < keylen; i++) {
+//		fprintf(f, "0x%02x", key[i]);
+//		if (i < keylen - 1) {
+//			fprintf(f, ", ");
+//		}
+//	}
+//	fprintf(f, " };\n");
+//	fprintf(f, "const unsigned int %s_length = %d;\n", name, keylen);
+//}
+
+//void create_secretbox_key(const char *filebase, const char *varname) {
+//    unsigned char key[crypto_secretbox_KEYBYTES];
+//
+//    crypto_secretbox_keygen(key);
+//
+//    char key_filename[4096];
+//    char key_varname[4096];
+//
+//    sprintf(key_filename, "%s_secretbox", filebase);
+//    sprintf(key_varname, "%s_key", varname);
+//
+//    write_key_files(key_filename, key_varname, key, crypto_secretbox_KEYBYTES);
+//}
 
 void
-dump_key_as_c_code(FILE * f, const char *name, unsigned char *key,
-		   unsigned int keylen)
-{
-	fprintf(f, "const unsigned char %s[] = { ", name);
-	for (unsigned int i = 0; i < keylen; i++) {
-		fprintf(f, "0x%02x", key[i]);
-		if (i < keylen - 1) {
-			fprintf(f, ", ");
-		}
-	}
-	fprintf(f, " };\n");
-	fprintf(f, "const unsigned int %s_length = %d;\n", name, keylen);
-}
-
-void
-dump_key_as_exim_config(FILE * f, const char *name, unsigned char *key,
-			unsigned int keylen)
-{
+dump_key_as_exim_config(FILE *f, const char *name, unsigned char *key,
+                        unsigned int keylen) {
     // write a comment with C variable declaration
     fprintf(f, "# const unsigned char %s[%d] = { ", name, keylen);
     for (unsigned int i = 0; i < keylen; i++) {
@@ -127,20 +129,6 @@ void create_cryptobox_keys(const char *filebase, const char *varname)
 
 }
 
-void create_secretbox_key(const char *filebase, const char *varname) {
-    unsigned char key[crypto_secretbox_KEYBYTES];
-
-    crypto_secretbox_keygen(key);
-
-    char key_filename[4096];
-    char key_varname[4096];
-
-    sprintf(key_filename, "%s_secretbox", filebase);
-    sprintf(key_varname, "%s_key", varname);
-
-    write_key_files(key_filename, key_varname, key, crypto_secretbox_KEYBYTES);
-}
-
 int main(void) {
     if (sodium_init() < 0) {
         fputs("Unable to initialize libsodium", stderr);
diff --git a/src/test_libexim-encrypt-dlfunc.sh b/src/test_libexim-encrypt-dlfunc.sh
index c7f0aaf..d1e6e64 100755
--- a/src/test_libexim-encrypt-dlfunc.sh
+++ b/src/test_libexim-encrypt-dlfunc.sh
@@ -1,7 +1,9 @@
 #!/bin/bash
+# shellcheck disable=SC2164
+
 PATH=/sbin:/usr/sbin:$PATH
 # this script implements the TAP protocol (https://testanything.org)
-echo 1..2
+echo 1..6
 
 # copy to /tmp to keep commandline arguments to exim calls under 256 chars (prevent problems on Ubuntu)
 install -t /tmp src/libexim-encrypt-dlfunc.so
@@ -26,7 +28,72 @@ CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${
 DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")
 
 if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
-	echo "ok 2 - sealed_box test successful"
+	echo "ok 2 - sealed_box test with pre-generated key pair successful"
 else
-	echo "not ok 2 - sealed_box test unsuccessful"
+	echo "not ok 2 - sealed_box test with pre-generated key pair unsuccessful"
 fi
+
+# skip test on Ubuntu
+#[ "$(lsb_release --id --short)" == "Ubuntu" ] && echo "not ok 3 # skip Ubuntu has patches against long commandline arguments, bailing out"
+
+### Test libexim-encrypt-dlfunc-genkeys
+
+TEMPDIR01="$(mktemp --directory --quiet)"
+TEMPDIR02="$(mktemp --directory --quiet)"
+cleanup() {
+  rm -rf "${TEMPDIR01}" "${TEMPDIR02}"
+}
+trap cleanup EXIT INT TERM
+
+CURDIR="$(pwd)"
+
+pushd "${TEMPDIR01}" > /dev/null
+"${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" 2> /dev/null # TAP parser seems to hate the output
+PK="$(base64 cryptobox_recipient_pk.raw)"
+SK="$(base64 cryptobox_recipient_sk.raw)"
+popd > /dev/null
+
+CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${PK}}{${CLEARTEXT}}}")
+DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")
+
+if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
+	echo "ok 3 - sealed_box test with newly generated key pair successful"
+else
+	echo "not ok 3 - sealed_box test with newly generated key pair unsuccessful"
+fi
+
+### Check if --help works
+
+if src/libexim-encrypt-dlfunc-decrypt-secretbox --help > /dev/null ; then
+  echo "ok 4 - secretbox --help argument works"
+else
+  echo "not ok 4 - secretbox --help argument does not work"
+fi
+
+if src/libexim-encrypt-dlfunc-decrypt-sealedbox --help > /dev/null ; then
+  echo "ok 5 - sealedbox --help argument works"
+else
+  echo "not ok 5 - sealedbox --help argument does not work"
+fi
+
+### Code coverage for genkeys file access failures
+pushd "${TEMPDIR02}" > /dev/null
+KEYFILES=(cryptobox_recipient_pk.raw cryptobox_recipient_pk_exim.conf cryptobox_recipient_sk.raw cryptobox_recipient_sk_exim.conf)
+for KF in "${KEYFILES[@]}"; do
+  rm -f "${KF}"
+  touch "${KF}"
+done
+FS_ACCESS_FAILURE=0
+for KF in "${KEYFILES[@]}"; do
+  su -s /bin/bash -c "${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" - nobody 2> /dev/null && FS_ACCESS_FAILURE=1
+  rm -f "${KF}"
+  touch "${KF}"
+  chown nobody: "${KF}"
+done
+
+if [ ${FS_ACCESS_FAILURE} -eq 0 ]; then
+  echo "ok 6 - genkeys should fail without filesystem access"
+else
+  echo "not ok 6 - genkeys should fail without filesystem access"
+fi
+popd > /dev/null