diff --git a/SOURCES/secureboot.cer b/SOURCES/redhatsecureboot301.cer
similarity index 100%
rename from SOURCES/secureboot.cer
rename to SOURCES/redhatsecureboot301.cer
diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer
new file mode 100644
index 0000000..50e375c
Binary files /dev/null and b/SOURCES/redhatsecureboot503.cer differ
diff --git a/SOURCES/securebootca.cer b/SOURCES/redhatsecurebootca3.cer
similarity index 100%
rename from SOURCES/securebootca.cer
rename to SOURCES/redhatsecurebootca3.cer
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec
index abb2f26..f159daa 100644
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@@ -26,12 +26,17 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.1.4
-Release:   6%{?dist}
+Release:   7%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/hughsie/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
-Source2:   secureboot.cer
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer
 
 # backport from upstream
 Patch0:    0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
@@ -39,6 +44,7 @@ Patch1:    0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
 Patch2:    0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
 Patch3:    0001-uefi-add-a-new-option-to-specify-the-os-name.patch
 
+BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libappstream-glib-devel >= %{libappstream_version}
@@ -148,7 +154,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 
 %meson \
     -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
 %if 0%{?enable_tests}
     -Dtests=true \
 %else
@@ -200,7 +206,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -333,6 +341,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
 %{_datadir}/installed-tests/fwupd/*.py*
 
 %changelog
+* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 1.1.4-7
+- Add signing with redhatsecureboot503 cert
+  Related: CVE-2020-10713
+
 * Wed Feb 19 2020 Richard Hughes <richard@hughsie.com> 1.1.4-6
 - Rebuild to get the EFI executable signed with the Red Hat key
 - Resolves: #1713033