diff --git a/ima-add-sigs.sh b/ima-add-sigs.sh
index 6777d4b..890eacb 100755
--- a/ima-add-sigs.sh
+++ b/ima-add-sigs.sh
@@ -53,12 +53,35 @@ abort() {
 	exit 1
 }
 
+get_system_ima_key() {
+	source /etc/os-release
+	local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease')
+	local version_id
+	key_name=${name_map[$NAME]}
+	version_id=${VERSION_ID/.?/}
+
+	[[ $key_name == fedora ]] && name_suffix=-ima
+	key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der
+	if [[ ! -e $key_path ]]; then
+		echo "Failed to get system IMA code verification key"
+		exit 1
+	fi
+
+	echo -n "$key_path"
+}
+
 # Add IMA signatures from RPM database
 add_from_rpm_db() {
 	if ! command -v setfattr &>/dev/null; then
 		abort "Please install attr"
 	fi
 
+	if [[ -e "$ima_cert" ]]; then
+		verify_ima_cert=$ima_cert
+	else
+		verify_ima_cert=$(get_system_ima_key)
+	fi
+
 	# use "|" as deliminator since it won't be used in a filename or signature
 	while IFS="|" read -r path sig; do
 		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
@@ -72,16 +95,22 @@ add_from_rpm_db() {
 			continue
 		fi
 
+		# Skip some files that are created on the fly
+		if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then
+			continue
+		fi
+
 		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
 			echo "Failed to add IMA sig for $path"
 		fi
 
-		[[ -e "$ima_cert" ]] || continue
-		# TODO
-		# don't verify the modified files like /etc?
-		if ! evmctl ima_verify -k "$ima_cert" "$path" &>/dev/null; then
-			echo "Failed to verify $path"
+		if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then
+			setfattr -x security.ima "$path"
+			# When ima_cert is set, shows the verfication result for users
+			[[ -e "$ima_cert" ]] && "Failed to verify $path"
+			continue
 		fi
+
 	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
 }