From 1d00d75dece47e1bae0dc4e74c3d343da3670016 Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Fri, 29 May 2026 10:53:46 +0200
Subject: [PATCH] signature/cert: Dual MSFT signature and CentOS 8 series cert

Resolves: #RHEL-137056
Signed-off-by: Nicolas Frayer <nfrayer@redhat.com>
---
 centossecureboot801.cer | Bin 0 -> 1437 bytes
 centossecurebootca8.cer | Bin 0 -> 1376 bytes
 shim.rpmmacros          |   2 +-
 shim.spec               |  12 ++++++++----
 sources                 |   2 +-
 5 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100644 centossecureboot801.cer
 create mode 100644 centossecurebootca8.cer

diff --git a/centossecureboot801.cer b/centossecureboot801.cer
new file mode 100644
index 0000000000000000000000000000000000000000..c18f616f69de186b370934651cace24bc3532e73
GIT binary patch
literal 1437
zcmXqLVx4Kw#N4=mnTe5!NhEpVht4_wmnYZOrS*!1N_DSaHjUGOmyJ`a&7<u*FC!y2
zD}#ZXp@M-N8*?ZNGmp4)YF>$dutIQZa%oYjf>VBeiGs7Ef`y@yfdX6;C!?5fF-SpX
zNu@(FP(yyPUVc%!ft)z6k*T49v7w=vp@p$QlsK=kxuFr9Yv60BZlDUWM-GcU!I|lK
znR)3776yhyS=Yp*gzOVWRtDxKCVmEkCMGVXCMHIPtyK%!4%O__EIbhG6&PHwc=t!!
zFG_;fzod4mTzWex^Y-0KFHDxt;k?avJ^n(dnaiu~?@skxVp&}&bnCX1^sHz1W0v$y
zPp<2=xcQz(X6<xEeeTy!*nHD_?pJR4{<f)P9b=J*+l_sS6CN+*bdF+6t=_b<IXS%N
zeYyL`q&Bt3?jN@AGtpI^#84`Je+SF^+fJ8GT7H##xLjZv?<pC(<t$2pbDkZ2_hyCQ
zj-;!T_5|JhP<3zOoq2zZJ{@S|E*I7Rn!jO#vgEVsvsJ36rq^xfW{<cKwX3R^Tc=#~
zS_JFyf(x1~X63s=7CM;v?N(^`Cbautuw9_Uo9BPZ144CWK3@zt|0wNWr1s@`$HXL-
z85#=<Eb71g$>$c=WQV6;1ol4M+OWCofKJ!74i?p)6LiXs`?{Su;hbS~|8i@L;K?aV
zFP7)FUj1zMxM+Pu=R~#QW%fO5Yno3aP4qQ3ce4$VZ4KP2>2o@5v*nBz4g1mqxC4c*
zI%)l34*jC7G3Rn?nJrU#qeJv%W*-&pW^FN%qvrp+jg!+|xgB<Ne|_zwk`XZD=#t<M
zYmHo3rn#!V2%q}N@3hus*AL8}7*>S&?c-hgUjOZXu`}`Mo{4AAiZ5Ne`1FR4%-Prb
zV>c-6v$}fV@TI1X+2=m)O5$o0?x=5z|JHjU%`5m)NkI5ajo6QQUgBRTpWU2%vu9Q{
z6Eh<N<KhZ~G6No9qLUS7Wc<&<WWZp+2jcOAcr46J><tEDAigSy&tt&F#-Yu|$jZvj
z%xoYF66a$PV-Y#n{BhwY-XIqhkq2RR{TD7d@lCBZkOxUCvq%_-HHd_J@0jvm>A)A`
z4_AzRSjxBlE}LP1oHl{E445_<8TwV%%84)6sn}evD^e9~|L6G9-T7(kZxU}sS)7<=
z7W;I+v2JD2FP-j-2il|8IdI%_v-b*`dslYqp`Y`U1i#kbU6!sr;op??TW2r%&oXVh
z;pCdF9U|%#cT%^Vo_TIY=Zy2A`B4jmcAb0iCoW~FXtK4Pr;*fOnZVn(Et%X{wBDS2
zr}F&IX4j2tV{Tnn3*Ef<VC|A$8+zH7r?39loOLze(ag1fHq8q+k}%MV>abBdC9?nU
z$IDNc*w=6*cl{ABDx5m`+vFCH?yuL5N!{6$k|%L^f$oWwC#^!=xb_@*P!zo6j@~im
z36qQiFD>&BHZC@c%v{Sg?Ig$fv{>man}g0pT_|Wyt_*YC&(t94A#{~jZQFzGeMgv+
zPC0zo7MJoUrlQlfaEF-ElJAZ=_p-jH6@RqaH<dv&RBF>dh2KYJ-v0W3a(`2ZrkX%i
zy}|m3_emV)N0Ux|&D<Yj@X(2|&UVV}zBwlX4;^M;TXOup@=@dGnv#>31##N0&)EKv
z<HNnj-8=qex?D~w+|s<ePC_l1&6jWDWPkMz>s+N$RxLfIZ+tfn3x-MxOl@d=CaG{!
zly|v@X*<hGA;D6q?-Ay6ODng$y1Z3e%{25!@yqE`vqboBE<598Frn;4g!hBy-62ob
uze}~Qjr}S6af<oTHSJ~7TAB7epAu+z^BnWs)<vstZtJ=)pPwAlng{@Us%P8)

literal 0
HcmV?d00001

diff --git a/centossecurebootca8.cer b/centossecurebootca8.cer
new file mode 100644
index 0000000000000000000000000000000000000000..32d84effc063008092e78915fbf3e9ab1e5dc542
GIT binary patch
literal 1376
zcmXqLVvR9qVs=@;%*4pVBvPF^pY`6NX>*S~el0I&7&X(@T5_rZFB_*;n@8JsUPeZ4
zRt5t%Lj?mlHs(+kW*%|p)Vvb^V1?k+<kF&41*iP{5(Q^R1q(wZ0|mGyPDU}|VvvH&
zl1hhUpoaWnz5Jqd137VCBU3{IV?#qT14{$TC~;n6b3-FImumJjF)1N?fsvJgxrvFN
z!JvtWi>Zl;kzuK^#h)1#eR)URdCitJ@~t@1Yh>UN@>AsFyHe53Iq_@CBu^eno4__p
zHmD-#oS0$d&5wI;^RIgOpz%4g+Z6RsS@rMRn2k3CR;9`%eVLQ(wya>U+6i-&ChvBu
zGg~ZoTw7ms;r_krx~I<>$<>~TPY&HS<HpYN#WP(tUCd?Ly{h#6$%gtCn{CH8$K|b7
zxVBlg_~`3d>%Lx}rnSoV!ljRAZ|(?Zh<+h+_3F|^p=<l6CahFvS^U+h{=4nrmc{*+
zY>7Pg1fJV&%Kq4|m^j7vbko`i`!W`OzTJ^v)XbV)rPsE4&8&1OQ&IV<gL<JoPg5N|
zWY+JD{gGjJJ8JiP;bWnDR=YM-=LD~C`u5{mQQ{xD1ot-@M(sOfeb_e#O;{td>6hqX
zE*&pU%`+#8))ddt<5}CU#*+B5VQDgx*84i8dj+%K)y2z*$4=&W=~MLY*~5Z&NpJ49
z+`Tfxv!l_d=>!{#V)FiF3A^KCx4d-L`B3t7{?B6`cE4F7A8Zs(eYP**px2eMU3=fx
zdM)f!U$f=-boJI0Er#yf(FG#c_r5s1$krkH<-?rv*`{GR4{}*Qsh(NlI7#fp{CQG|
zC!O8HO&^}0*7JRNY~srozUTI{FXW$p?z5_^n)eyQvaqB#b$%b4H>UM_+!Cs<lKnnq
z_BQXlqqpp;h5j~$<mp>khOON*+bd6=b@n!g+rCW9j0}v6oeUfd_<^ZfR+y3TKMSh?
zGmtWn1qtx6h_Q%-d+(U?U+KUX;}2JieOSu3{w|wgV892G<_D=~0cM{z<WvUCD8N+4
z$e?h^@}1ek3lp~W+@G^|(&`m6y}#*yeb;`ZYOP-L?X~Mqq)0F3(!ONq&9SmZEoaFm
zb-Q!EZ$5ZTUUVb*)vx_2Y0g=tG1aV_uBvJK)ZMXJ67o2baYItbiE_#Fb6J!$oMR?7
zzm-1B$}-V%yJOYX*LJtwEN;o%a_?8amaTw<p4nl=m+q!(p4v@a!TWk4cgmFNP?h?}
z!Z*@p?+c#2q;t!bZ*EUbcKEApO5VL>ew%UHgRSNo!E<XD{oKP@`b$asT=DWHE$3u4
z-W^o<dxM+3{NjR(Wm`CAOP>3)QSD_hYu@Xn>^CpoO|ZzHrtDhFe)rS#h~0k#V_#3u
z_44w&-IL<?G1x|Dy|=~Z(jedJ-*abum6lERQDy#~+q9{}vt?=1Z<n>~%isBjo4<H1
zD|NgjxlQkwe&0ozol@1U9p|$jmz_~C5vvf0-^%V2-&$1e$B-uUNa?u!54NcIrbG{(
zW4cbZ6Shyte%TUe?IU&ZZ}F^->*-53$Ohb!U}2W$*&-ID{k2HCMti$f)4!tUO}=(q
zmJ{_V=B)qkxR`@ojQ{%6Wmg5Nvb8suOK#dEGFQTfH7M@xhL37JB}c=}W^b*#9<U%?
zaQ*)Y-BX#E{;XTMW7dI_doFn!{kPfr|Lpu=)&|S&ZOpH`ydHfF*;#saC8J7`^^G}-
ZIxX&>c~(Sqb*)o;_gvtC+^<<u!2sVeRP6u&

literal 0
HcmV?d00001

diff --git a/shim.rpmmacros b/shim.rpmmacros
index 320af54..2722b05 100644
--- a/shim.rpmmacros
+++ b/shim.rpmmacros
@@ -118,7 +118,7 @@ version signed by the UEFI signing service.				\
 	else									\
 		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
 	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} } \
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot801 -a %{SOURCE2} -c %{SOURCE1} } \
 	%{nil}
 
 # -a <efiarch>
diff --git a/shim.spec b/shim.spec
index 0b3a4ef..d7af16e 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,6 +1,6 @@
 Name:		shim
-Version:	15.8
-Release:	6%{?dist}
+Version:	16.1
+Release:	1%{?dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
@@ -12,8 +12,8 @@ ExclusiveArch:	%{efi}
 ExcludeArch:	%{arm} %{ix86}
 
 Source0:	shim.rpmmacros
-Source1:	centossecureboot201.cer
-Source2:	centossecurebootca2.cer
+Source1:	centossecureboot801.cer
+Source2:	centossecurebootca8.cer
 Source5:	shim.conf
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
@@ -108,6 +108,10 @@ install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
 %endif
 
 %changelog
+* Fri May 29 2026 Nicolas Frayer <nfrayer@redhat.com> - 16.1-1
+- signature/cert: Dual MSFT signature and CentOS 8 series cert
+- Resolves: #RHEL-137056
+
 * Wed Aug 13 2025 Nicolas Frayer <nfrayer@redhat.com> - 15.8-6
 - Updated sources file with new aa64 EFIs
 - Related: #RHEL-45014
diff --git a/sources b/sources
index e839169..2fd8d28 100644
--- a/sources
+++ b/sources
@@ -5,4 +5,4 @@ SHA512 (fbx64.efi) = 1bbf117734d042d92e331a9e619b0f48a7da1016c5fbc3ec5461247e9bb
 SHA512 (mmaa64.efi) = 406fbd719631c07366b609d7eb984bbb749c8be2a63f816e2924aed18b4f1f75e0f84e5937ff47f14f28d8423f59236ebcd1b1a2317f2e1afb1b613a5762e579
 SHA512 (mmx64.efi) = caabd963f6a8a05bbb48f0298c683d1f97d3fe4bc68eee4521b2e8bc2c5cdb6ef405b7188031b8ff250b7a1ddafbdc5da241ac30545bfabca42ee2bc45507499
 SHA512 (shimaa64.efi) = 66ff2d1a7ee2588ae8f1b41ed472f81bdfd4791e8c646d51f9607592cca6d76e0ad05c98390e97191d9989b390f85cb50b107b2f545cde3cb4f07c1eeee7fc45
-SHA512 (shimx64.efi) = b4dc7ff94feec631d63e496b72d9ea333179204407ba91399d7c5e2c762172a3ab91001604727641ac5b0eaf79fa350d981b05c101c523897987e12b494b03cd
+SHA512 (shimx64.efi) = c26bae26171bd8654c7ac14c610bb201f6cf0d0a99891a4356cd3f466745aa7750f58ba49adca33a870867cba3a952b3c9d67989068fe3d1c3a4f09a8e66847e