While working on this ticket I (re)discovered that we broke the chain of signatures when we refactored the code to use go-uefi and sbctl.
Although this should be the right way to sign the various databases, I couldn't find a case where this chain of trust is actually checked, neither in qemu or real hardware (asus pn64). See the linked ticket for more.
In any case, let's get this fixed in case some firmware cares about it.
While working on this ticket I (re)discovered that we broke the chain of signatures when we refactored the code to use go-uefi and sbctl.
Although this should be the right way to sign the various databases, I couldn't find a case where this chain of trust is actually checked, neither in qemu or real hardware (asus pn64). See the linked ticket for more.
In any case, let's get this fixed in case some firmware cares about it.