diff --git a/kernel.spec b/kernel.spec
index 6d57b41b7..deb771f13 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -12,7 +12,7 @@
 # change below to w4T.xzdio):
 %define _binary_payload w3T.xzdio
 
-%global distro_build 479
+%global distro_build 480
 
 # Sign the x86_64 kernel for secure boot authentication
 %ifarch x86_64 aarch64 s390x ppc64le
@@ -38,10 +38,10 @@
 # define buildid .local
 
 %define rpmversion 4.18.0
-%define pkgrelease 479.el8
+%define pkgrelease 480.el8
 
 # allow pkg_release to have configurable %%{?dist} tag
-%define specrelease 479%{?dist}
+%define specrelease 480%{?dist}
 
 %define pkg_release %{specrelease}%{?buildid}
 
@@ -461,24 +461,20 @@ Source14: redhatsecureboot302.cer
 Source15: redhatsecureboot303.cer
 Source16: redhatsecurebootca7.cer
 
-%define secureboot_ca_0 %{SOURCE10}
-# TODO: secureboot_ca_2 is only for ppc64le on rhel -
-# why doesn't it just define secureboot_ca_0 differently
-# instead of using this separate _ca_2 variable?
-# This would simplify some really nasty "if" blocks
-%define secureboot_ca_2 %{SOURCE16}
-
 %ifarch x86_64 aarch64
+%define secureboot_ca_0 %{SOURCE10}
 %define secureboot_key_0 %{SOURCE13}
 %define pesign_name_0 redhatsecureboot501
 %endif
 
 %ifarch s390x
+%define secureboot_ca_0 %{SOURCE10}
 %define secureboot_key_0 %{SOURCE14}
 %define pesign_name_0 redhatsecureboot302
 %endif
 
 %ifarch ppc64le
+%define secureboot_ca_0 %{SOURCE16}
 %define secureboot_key_0 %{SOURCE15}
 %define pesign_name_0 redhatsecureboot701
 %endif
@@ -1176,7 +1172,7 @@ openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 cat rheldup3.pem rhelkpatch1.pem > ../certs/rhel.pem
 %ifarch ppc64le
-openssl x509 -inform der -in %{secureboot_ca_2} -out secureboot.pem
+openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
 cat secureboot.pem >> ../certs/rhel.pem
 %endif
 for i in *.config; do
@@ -1754,15 +1750,7 @@ BuildKernel() {
 
     # Red Hat UEFI Secure Boot CA cert, which can be used to authenticate the kernel
     mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
-    %if 0%{?rhel}
-        %ifarch ppc64le
-            install -m 0644 %{secureboot_ca_2} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %else
-            install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-        %endif
-    %else
-        install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
-    %endif
+    install -m 0644 %{secureboot_ca_0} $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/kernel-signing-ca.cer
     %ifarch s390x ppc64le
     if [ $DoModules -eq 1 ]; then
 	if [ -x /usr/bin/rpm-sign ]; then
@@ -2706,6 +2694,9 @@ fi
 #
 #
 %changelog
+* Sat Mar 18 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-480.el8]
+- redhat: fix the signing failure on ppc64el on centos (Denys Vlasenko) [2179095]
+
 * Sat Mar 18 2023 Denys Vlasenko <dvlasenk@redhat.com> [4.18.0-479.el8]
 - redhat: add centos signing certs (Denys Vlasenko)
 - redhat: fix "make rh-brew" not choosing _scratch_ build (Denys Vlasenko)
diff --git a/sources b/sources
index ed433d1aa..a3e3d2012 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (linux-4.18.0-479.el8.tar.xz) = 3f1cd8c8c2b2a48bf7509fbf137f66e0685e5e911b8775b4588f77aaa825a456fbbf568e261c3802a193fee70b2f063cce384ceb6ba54d051960c44d3570631b
-SHA512 (kernel-abi-stablelists-4.18.0-479.tar.bz2) = 6696893e336830ea1c7108e69f72704dc884507a355f87a545e03ac0ad6046490f264d7a1c1ab159fad2b4714f04b81817a1794064c52cca2265aadfb381b729
-SHA512 (kernel-kabi-dw-4.18.0-479.tar.bz2) = e4acc8a0d2babc3874870a8ff95917dc5741b897f32a9e4b6475430d5da3c1a8f75b194961d1c3054ae9a0dff7751e5f25ea4c6228d69a0ae604f5283cfd9ca6
+SHA512 (linux-4.18.0-480.el8.tar.xz) = 5f49893db85b2527864d4dcc8f1cf4f164d0fef697f05e1441485db7025165bcd0275a7a5c340ba7df9c59f56cf2be1d8adfe4b7601727181f2aa74672d7aa2b
+SHA512 (kernel-abi-stablelists-4.18.0-480.tar.bz2) = 32759d22676e5c56ad2b44c27756fb9ee531d62ce4d2dbef2427df1931cd3ff82af0dd2a6d12de62b9862e2503dfa9233c02b4a7209978f3c81c974691f7a5b1
+SHA512 (kernel-kabi-dw-4.18.0-480.tar.bz2) = e4acc8a0d2babc3874870a8ff95917dc5741b897f32a9e4b6475430d5da3c1a8f75b194961d1c3054ae9a0dff7751e5f25ea4c6228d69a0ae604f5283cfd9ca6