diff --git a/.gitignore b/.gitignore
index dc5033b..3b28284 100644
--- a/.gitignore
+++ b/.gitignore
@@ -75,3 +75,9 @@
 /fwupd-1.5.4.tar.xz
 /fwupd-1.5.5.tar.xz
 /fwupd-1.5.9.tar.xz
+/DBXUpdate-20100307-x64.cab
+/DBXUpdate-20140413-x64.cab
+/DBXUpdate-20160809-x64.cab
+/DBXUpdate-20200729-aa64.cab
+/DBXUpdate-20200729-ia32.cab
+/DBXUpdate-20200729-x64.cab
diff --git a/0001-Do-not-use-the-LVFS.patch b/0001-Do-not-use-the-LVFS.patch
new file mode 100644
index 0000000..f6a828a
--- /dev/null
+++ b/0001-Do-not-use-the-LVFS.patch
@@ -0,0 +1,39 @@
+From 945ef070f2095eac32c9438a30f73acd3fda420c Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Fri, 24 Sep 2021 09:41:09 +0100
+Subject: [PATCH] Do not use the LVFS
+
+---
+ data/remotes.d/lvfs.conf   | 2 +-
+ libfwupd/fwupd-self-test.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/data/remotes.d/lvfs.conf b/data/remotes.d/lvfs.conf
+index f956bc97..f993b970 100644
+--- a/data/remotes.d/lvfs.conf
++++ b/data/remotes.d/lvfs.conf
+@@ -1,7 +1,7 @@
+ [fwupd Remote]
+ 
+ # this remote provides metadata and firmware marked as 'stable' from the LVFS
+-Enabled=true
++Enabled=false
+ Title=Linux Vendor Firmware Service
+ MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
+ ReportURI=https://fwupd.org/lvfs/firmware/report
+diff --git a/libfwupd/fwupd-self-test.c b/libfwupd/fwupd-self-test.c
+index 089bfafe..606ceefc 100644
+--- a/libfwupd/fwupd-self-test.c
++++ b/libfwupd/fwupd-self-test.c
+@@ -190,7 +190,7 @@ fwupd_remote_download_func (void)
+ 	g_assert_cmpint (fwupd_remote_get_kind (remote), ==, FWUPD_REMOTE_KIND_DOWNLOAD);
+ 	g_assert_cmpint (fwupd_remote_get_keyring_kind (remote), ==, FWUPD_KEYRING_KIND_JCAT);
+ 	g_assert_cmpint (fwupd_remote_get_priority (remote), ==, 0);
+-	g_assert (fwupd_remote_get_enabled (remote));
++	//g_assert (fwupd_remote_get_enabled (remote));
+ 	g_assert (fwupd_remote_get_metadata_uri (remote) != NULL);
+ 	g_assert (fwupd_remote_get_metadata_uri_sig (remote) != NULL);
+ 	g_assert_cmpstr (fwupd_remote_get_title (remote), ==, "Linux Vendor Firmware Service");
+-- 
+2.32.0
+
diff --git a/fwupd.spec b/fwupd.spec
index f236dd0..65760a1 100644
--- a/fwupd.spec
+++ b/fwupd.spec
@@ -44,13 +44,27 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.5.9
-Release:   3%{?dist}
+Release:   4%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
 
-# backport from upstream
+Source10:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
+Source11:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
+Source12:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20160809-x64.cab
+Source13:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-aa64.cab
+Source14:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-ia32.cab
+Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer
+
 Patch0:    13524af2029c2a8a3fb32ef27c39c214d9b5b13c.patch
+Patch2:    0001-Do-not-use-the-LVFS.patch
 
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
@@ -240,6 +254,10 @@ can be flashed using flashrom. It is probably not required on servers.
 %install
 %meson_install
 
+# on RHEL the LVFS is disabled by default
+mkdir -p %{buildroot}/%{_datadir}/dbxtool
+install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{buildroot}/%{_datadir}/dbxtool
+
 # sign fwupd.efi loader
 %if 0%{?have_uefi}
 %ifarch x86_64
@@ -249,10 +267,9 @@ can be flashed using flashrom. It is probably not required on servers.
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp
-%define __pesign_client_cert fwupd-signer
-%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed
-rm -vf %{fwup_efi_fn}.tmp
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -336,6 +353,13 @@ done
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
 %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
+%dir %{_datadir}/dbxtool
+%{_datadir}/dbxtool/DBXUpdate-20100307-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20140413-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20160809-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-aa64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-ia32.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-x64.cab
 %{_mandir}/man1/fwupdtool.1*
 %{_mandir}/man1/fwupdagent.1*
 %{_mandir}/man1/dfu-tool.1*
@@ -481,6 +505,11 @@ done
 %endif
 
 %changelog
+* Fri Sep 24 2021 Richard Hughes <richard@hughsie.com> 1.5.9-4
+- Rebuilt to use redhatsecureboot503 signatures
+- Undo last Fedora sync to use the RHEL-specific patches
+- Resolves: rhbz#2007520
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.5.9-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688
diff --git a/redhatsecureboot301.cer b/redhatsecureboot301.cer
new file mode 100644
index 0000000..4ff8b79
Binary files /dev/null and b/redhatsecureboot301.cer differ
diff --git a/redhatsecureboot503.cer b/redhatsecureboot503.cer
new file mode 100644
index 0000000..50e375c
Binary files /dev/null and b/redhatsecureboot503.cer differ
diff --git a/redhatsecurebootca3.cer b/redhatsecurebootca3.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/redhatsecurebootca3.cer differ
diff --git a/redhatsecurebootca5.cer b/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/redhatsecurebootca5.cer differ
diff --git a/sources b/sources
index 6f5e19f..678bffc 100644
--- a/sources
+++ b/sources
@@ -1 +1,7 @@
 SHA512 (fwupd-1.5.9.tar.xz) = 1d22bb9759bb0fa6a9030c83b3372ffd02f812c34e4d60f83cbacf5793d68dd846b353a3f127eccfb8f2cdcd329ba09320465cd2f0fe422dea13738e5b0b47ed
+SHA512 (DBXUpdate-20100307-x64.cab) = f8ad56cf015f4cdc5c305856ff1f7a8589c25a2a671708c61883f427f38eb9b6a7abd3f2c8d79ef9d5076222255e42585917f8705a2a4b13f860bad4e02ec409
+SHA512 (DBXUpdate-20140413-x64.cab) = 75771876a2309fa8ca083c2e76520173d434229b7cacf1e7636bd9b1bc4f871d745c348b9792bfb65fd9f40ef54c25bb427b1431151e817e7050b7829456731a
+SHA512 (DBXUpdate-20160809-x64.cab) = c27c564999ae84515540f1a598cd0fd9ef3a80cdfaaf439f1c4cb04eaee0e73074548b6d76c21ca3af1ba9c4c0625907e821582998eb5617e33ecd412e6c8a13
+SHA512 (DBXUpdate-20200729-aa64.cab) = 7a0cea13ed9b645fd9f1d5e3410a451d83643a75f5dc603272b0771b093f2c012f9a19419160403631c250cf64127ad2ce1c8fa2079b04064af73fe85b9add33
+SHA512 (DBXUpdate-20200729-ia32.cab) = 578ec9cccf2001b8bfa54b66809a1662269677050e74bd3225536fbd2be56a8162c48669bd16ea553723580195df1693a28dc01fc1cf62ff06e36a2c5568f74f
+SHA512 (DBXUpdate-20200729-x64.cab) = b8b195167d286a3f16aaa7c89149a0d5b4c8f53080e3265758b912f250fa655533c603359b7d1c989ebad6953ce443809b3317ec1d00f750326945ee0537e43b