diff --git a/grub.macros b/grub.macros
index 16a9b5c6..966c079f 100755
--- a/grub.macros
+++ b/grub.macros
@@ -589,7 +589,8 @@ install -d -m 0700 ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig	\
 touch ${RPM_BUILD_ROOT}%{_sysconfdir}/default/grub		\
 ln -sf ../default/grub						\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/grub		\
-touch ${RPM_BUILD_ROOT}/boot/%{name}/grub.cfg			\
+touch grub.cfg							\
+install -m 0600 grub.cfg ${RPM_BUILD_ROOT}/boot/%{name}/	\
 ln -s ../boot/%{name}/grub.cfg					\\\
 	${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}.cfg		\
 %{nil}
@@ -634,7 +635,7 @@ ln -s ../boot/%{name}/grub.cfg					\\\
 %attr(0700,root,root)/boot/%{name}/fonts			\
 %dir %attr(0700,root,root)/boot/loader/entries			\
 %ghost %config(noreplace) %attr(0600,root,root)/boot/%{name}/grub.cfg	\
-%ghost %config(noreplace) %verify(not mtime) %attr(0600,root,root)%{efi_esp_dir}/grub.cfg	\
+%ghost %config(noreplace) %verify(not mtime) %attr(0700,root,root)%{efi_esp_dir}/grub.cfg	\
 %config(noreplace) %verify(not size mode md5 mtime) /boot/%{name}/grubenv	\
 %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/%{name}-%{1}.conf \
 %{expand:%if 0%{?without_efi_modules}				\
diff --git a/grub2.spec b/grub2.spec
index 5120cd7c..8596b8ae 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -335,19 +335,22 @@ if ! mountpoint -q ${ESP_PATH}; then
     exit 0 # no ESP mounted, nothing to do
 fi
 
-if test ! -f ${EFI_HOME}/grub.cfg; then
-    # there's no config in ESP, create one
-    grub2-mkconfig -o ${EFI_HOME}/grub.cfg
-    cp -a ${EFI_HOME}/grub.cfg ${EFI_HOME}/grub.cfg.rpmsave
+if test ! -f ${GRUB_HOME}/grub.cfg; then
+    # there's no config in GRUB home, create one
+    grub2-mkconfig -o ${GRUB_HOME}/grub.cfg
 fi
 
-# need to move grub.cfg to correct dir for major version upgrade
-if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
-    cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
-fi
+# make sure grub.cfg is present before grepping it
+if test -f ${EFI_HOME}/grub.cfg; then
+    # need to move grub.cfg to correct dir for major version upgrade
+    if ! grep -q "configfile" ${EFI_HOME}/grub.cfg; then
+        cp -a ${EFI_HOME}/grub.cfg ${GRUB_HOME}/
+        chmod 0600 ${GRUB_HOME}/grub.cfg
+    fi
 
-if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
-    exit 0 # already unified, nothing to do
+    if grep -q "configfile" ${EFI_HOME}/grub.cfg && grep -q "root-dev-only" ${EFI_HOME}/grub.cfg; then
+        exit 0 # already unified, nothing to do
+    fi
 fi
 
 # create a stub grub2 config in EFI
@@ -537,6 +540,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
+* Wed Jul 31 2024 Leo Sandoval <lsandova@redhat.com> - 2.06-88
+- grub.cfg: Fix rpm grub.cfg verification issues
+- Resolves: #RHEL-45870
+
 * Wed Jul 31 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-87
 - grub2-mkconfig: Simplify os_name detection
 - Resolves: #RHEL-32099