diff --git a/.shim.metadata b/.shim.metadata
index 419f702..270f7ac 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1,3 +1,3 @@
-fddb9c22fd56e9c6975159ad72415c9a4cb7cebd SOURCES/shimaa64.efi
-c3c4d0ccdc07c03c20f133f9f65f6f12accea87a SOURCES/shimia32.efi
-6436ae30f3f189f70f9043d91ede90058fbeb00a SOURCES/shimx64.efi
+750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
+3a0d861097a6ec3c9c85b75a7f9938147965fdfc SOURCES/shimia32.efi
+c37eec63cee909abaa08e53dbbda5a32660513b2 SOURCES/shimx64.efi
diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
new file mode 100644
index 0000000..dfa7afb
Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer
deleted file mode 100644
index 4ff8b79..0000000
Binary files a/SOURCES/secureboot.cer and /dev/null differ
diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer
deleted file mode 100644
index b235400..0000000
Binary files a/SOURCES/securebootca.cer and /dev/null differ
diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
index c83519c..c8cd248 100644
--- a/SOURCES/shim.rpmmacros
+++ b/SOURCES/shim.rpmmacros
@@ -14,8 +14,8 @@
#%%global shimefiarm %%{expand:%%{SOURCE23}
%global shimveraa64 15-4.el8
-%global shimveria32 15-2.el8
-%global shimverx64 15-2.el8
+%global shimveria32 15-7.el8
+%global shimverx64 15-7.el8
#%%global shimverarm 15-1.el8
%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
@@ -90,7 +90,7 @@ version signed by the UEFI signing service. \
# -i
%define distrosign(b:a:d:) \
cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
- %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot301 -a %{SOURCE2} -c %{SOURCE1} }\
+ %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} }\
%{nil}
# -a
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 8afb18f..a0fbeb6 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,11 +1,6 @@
-# this is to make us only expand %%{dist} if we're on a modularity build.
-# it's 2 macros make vim's \c not put a brace at the end of the changelog.
-%global _dist %{expand:%{?_module_build:%%{?dist}}}
-%global dist %{expand:%%{_dist}}
-
Name: shim
Version: 15
-Release: 11%{?dist}
+Release: 14%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: https://github.com/rhboot/shim/
@@ -19,8 +14,8 @@ ExcludeArch: %{ix86}
ExcludeArch: %{arm}
Source0: shim.rpmmacros
-Source1: secureboot.cer
-Source2: securebootca.cer
+Source1: redhatsecureboot501.cer
+Source2: redhatsecurebootca5.cer
# keep these two lists of sources synched up arch-wise. That is 0 and 10
# match, 1 and 11 match, ...
@@ -106,6 +101,21 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
%endif
%changelog
+* Tue Jul 28 2020 Peter Jones - 15-14
+- Get rid of our %dist hack for now.
+
+* Tue Jul 28 2020 Peter Jones - 15-13
+- New signing keys
+ Related: CVE-2020-10713
+ Related: CVE-2020-14308
+ Related: CVE-2020-14309
+ Related: CVE-2020-14310
+ Related: CVE-2020-14311
+
+* Thu Jun 11 2020 Javier Martinez Canillas - 15-12
+- Fix firmware update bug in aarch64 caused by shim ignoring arguments
+- Fix a shim crash when attempting to netboot
+
* Fri Jun 07 2019 Javier Martinez Canillas - 15-11
- Update the shim-unsigned-aarch64 version number
Related: rhbz#1715879