From 916ee0ccb8eaf87d3e887dc5de8ca79bfc04c9ff Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Sun, 8 Mar 2026 23:12:32 +0000
Subject: [PATCH] Update secure boot certs: ca0 as Source2, boot0 as Source1,
 drop centos certs

---
 .gitignore                 |   3 ---
 almalinuxsecureboot0.cer   | Bin 0 -> 999 bytes
 almalinuxsecurebootca0.cer | Bin 0 -> 970 bytes
 shim.rpmmacros             |   2 +-
 shim.spec                  |   3 ++-
 sources                    |   3 +--
 6 files changed, 4 insertions(+), 7 deletions(-)
 create mode 100644 almalinuxsecureboot0.cer
 create mode 100644 almalinuxsecurebootca0.cer

diff --git a/.gitignore b/.gitignore
index 477fac6..cbbd3fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,11 +1,8 @@
 BOOTAA64.CSV
 BOOTX64.CSV
-centossecureboot201.cer
-centossecurebootca2.cer
 fbaa64.efi
 fbx64.efi
 mmaa64.efi
 mmx64.efi
 shimaa64.efi
 shimx64.efi
-SOURCES/almalinuxsecurebootca0.cer
diff --git a/almalinuxsecureboot0.cer b/almalinuxsecureboot0.cer
new file mode 100644
index 0000000000000000000000000000000000000000..e6bb9db458dcdd38c1d601a5160ce8464ad028e0
GIT binary patch
literal 999
zcmXqLVt#DU#B_QAGZP~dlSq=$x3`I_j%l#2FGy70?o}0&^C`xFmyJ`a&7<u*FC!y2
zD}zCfp{jv0T!@oVOsqIHxwI&=q|zZVCpR%CGq1ElFTW_=P{BZsjX9KsOIX|yDDDFi
zSMU#3aLX^vOGzxr%+E7aG>`|WU>24@s0aobma5>CpI@Tj>}Vh-&TC|9U~Ft?Xklb&
zVh|<HYYgNXSwgu6g@$SdDqur+WU(6(oSB}NnTK!=4^HP0=P!dMMkVAhVPs`sZerwT
z0E%-lH8C<WEZZ7vnwP#}ZBI`6%E}aj=2*X?OWuz}HVaQNm9>5{Q*3?l-?<XejdnUq
zKCHAY&Ji(*UCnNE>gr~{?8kbg0b5t?lBx5kIj7}g65w>>_kj-vx$A0zuP(QmrG2<v
zyYkg>u2<Dx8luytRn|sj?tZ28M{A<_`Nco3O8PJ=EB{FN@kev^zl`gfdUYihiuIj{
z<jR*lo4|4=%{|g8^7WU!lM;Ve`1D@LUJy3t*T=8!ig)Z2=j5$;7xE+5W~Q=d_Jeh&
zZ#D;QWIvGby)*K~%=00)SLqdObmx7Z=#;R#ckgG*<8$`h3lX%@o6_{CzocB^=Kk%)
zHz&_I5k3Dwje(7^RF{JIoySbfj0}v6D-6mEcz_WjE6m9FpM}YQ!GI6M;|K9rn3>oc
z48%ZuRS=)YfQyYon~jl`m7ST{Ko%s<$0Eie@_$b83%6N8)15EgoM>+NBkWY&gl=$>
zkyU1qFc51HIoS8|=e1RqCd=#0HZEQp>z27>$v)(`0j5`A+%Ph@OKKIL-ult%`<1Av
z5-(2v5nVsM&G$=Ot<n*eNsTTs7N?kZ@@;?hSS~mCSVaEWr5A<g*@f^%nL8ZeT$Z$9
z>(U)hQd!P8?3PlTo-)sP<I&6QPXqm~Z<0*Bw;<xx`@Tst=T_`dJQ7tFm$bI1J}dE4
z^`)cduiTGjs9*CUcth!`gj5sJ__C?DisVG6#~pbmz3ZjsWO4Pa)71XE8a{jO`Rn@(
z<ztQ#VmF2NEZ^4qdX+=g@kcSP_B!dm`yy}U*)IAcd_z=pO6xrR4<=kYmcQJW%>C%)
z%GRv~6F;VMvx!~hPrProZ&#m`UU0&*YmVC)`!Achh~HyQ{q4DbyFt~aQ_2ejlC}W=
DeSwFp

literal 0
HcmV?d00001

diff --git a/almalinuxsecurebootca0.cer b/almalinuxsecurebootca0.cer
new file mode 100644
index 0000000000000000000000000000000000000000..d086cd53c500ca15c889ff2b32c5b6167e162cb5
GIT binary patch
literal 970
zcmXqLVm@Zj#I$Y!GZP~dlOV(4Zs(9&d=69Em3g11sAk<Z;AP{~YV&CO&dbQi&B|bq
zW2kDN3>V^L6cZ~>O)f3UEU9!z%*jp6$;>OQ(917MH&if?V`C0w;Sv^i1d98B#1;I5
z72NVm^HLH^GV}8c6%FJ;Dwu^O5GsN}hNUVv<>!|uI6E51iSrtn7#JIx7#Nxw8X8B5
z^BN;_>Fk;&MkVCnU}R-rZerwTFlb`rVrpV!WY}<Ep%UY-y&sLgH-9O+`C4I0`GaM)
z?HjA)w*)Wj`Y6);wDEz%(b+GwJ}Z5j_Uzl)^(72Tc-6Tc2}Z5lX1Tkg?%SW)5|7Q7
zH=cPdsvsm)Ao}T$^*$--h|A1L-$d8*{WsmOy=|}F>_t7Ne;@l2>AiQadDHC2MrTVB
zO(Lpfw^>Si%esGJa$bBkT4%~@SA&z4SLRpsX_nubYp1h<jh&J6<43PqR*%E?n=##M
zns3U!_Q|Qk_YzMfTI^pK`$zHCj!9ReHP&`XY%aNW>TKIzu}<?gEt66|j+y!)DwE=#
zt@{4zq6_<<b4tux(-(ZqIG}S@`KP(bEdF&_@6WvNXOeppt;pZy&&15gz_>WsAQ2p~
zvdSzH24W2&2m4<Bytc~HWO<$0#>H!6-7=Rf*=N89jCompM#ldvEWm`<X21{P3xoKq
z2FyUpKo%sx$0EjpT|a871V#fRgYWA7AA9a?HV`_W+*B=ie2ZaT;MXsTkHj~7U)QX7
zeO{na@bq2o-sL^#TGFP8)Lat%py1tJ%(M6G|BBOB;u8`d8M@V<w9hd*eX*l5>W}#J
zxk}xi#o5);HktIgnC#)1`JOlE+oS{&KE=3)&u#8$74Y|m%cOL+Z;I<V`_=MTo7&&S
zsR{k+W$fmUYPwmu{S3}^=<fC1QKaa1j?=LC`@+QHmd^>VzN<(T-->Cg@tAgaZeR7U
zoO6kLraH9v^FEAbn0rzC{=8|?{>9&=0(}ZDUbr5qpi+Ngkv!MxEhXG;4@Gr@<_V~8
hz1^Yl@Bi1C6W7#=r%k@Xm3H;jpD6o4&JuOO^8kV}d_DjG

literal 0
HcmV?d00001

diff --git a/shim.rpmmacros b/shim.rpmmacros
index 9206e1e..4ee57e1 100644
--- a/shim.rpmmacros
+++ b/shim.rpmmacros
@@ -118,7 +118,7 @@ version signed by the UEFI signing service.				\
 	else									\
 		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
 	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} } \
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n almalinuxsecureboot0 -a %{SOURCE2} -c %{SOURCE1} } \
 	%{nil}
 
 # -a <efiarch>
diff --git a/shim.spec b/shim.spec
index ebc51e9..3d8a6d8 100644
--- a/shim.spec
+++ b/shim.spec
@@ -16,7 +16,8 @@ ExclusiveArch:	%{efi}
 ExcludeArch:	%{arm} %{ix86}
 
 Source0:	shim.rpmmacros
-Source1:	almalinuxsecurebootca0.cer
+Source1:	almalinuxsecureboot0.cer
+Source2:	almalinuxsecurebootca0.cer
 Source5:	shim.conf
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
diff --git a/sources b/sources
index 5e420dc..fada67d 100644
--- a/sources
+++ b/sources
@@ -5,5 +5,4 @@ SHA512 (mmx64.efi) = 266f346b5acea659a74e2ec28d6ee652d06a6fc1f2219cbb8c8fe207628
 SHA512 (shimaa64.efi) = 4e959920d0f4da2075680a547b25283363fcd258d5ae911a0435aa43cc4db71f358293ac0c03414572d10e1623f9b7657f5ef53e91981175043676b77ffe6b04
 SHA512 (shimx64.efi) = c8ae4275b844f4237e76878ab335bb0949e7c5db68349b2e54f0e7e138d9e02de2bdcb4b3839ec106b095b15147974a74dedfd1ad296fab18ae5ade6414dc2d3
 SHA512 (BOOTAA64.CSV) = 2dfc78bee3d6e7f27cab8037ace24b9d62d2b3e5056751a32259d997fbaba5ef6015d6c50c842f29e2a31b94c3dc63476fb61803b25f504255c32c04a5a8255c
-SHA512 (BOOTX64.CSV) = 6566d163836a0da9caa31a14b41178a2cf82f96a751a3eff87dcdc0a40b1521b27b35bf7a1d5774e00f605e569f5be1a6baff7e00e3a93f5d6ca3844188034d3
-SHA512 (almalinuxsecurebootca0.cer) = 9190a7d5808d3f4181f0f868d07ba83368357a02970f40594e5ec880d33771d890c69f1dfd4ce6c2bc92e6e14217be1aebf7ecc045e6603032b50e33228763ae
+SHA512 (BOOTX64.CSV) = 6566d163836a0da9caa31a14b41178a2cf82f96a751a3eff87dcdc0a40b1521b27b35bf7a1d5774e00f605e569f5be1a6baff7e00e3a93f5d6ca3844188034d3
\ No newline at end of file