Hi all, what is the best way to test if Shim works with the integrated vendor certificate, assuming you don't have a Microsoft certificate yet and secure boot is enabled.

It sounds like you need to sign shim yourself (with a different certificate) and then add that certificate (but not your vendor cert, since that's only meant to work for things loaded by shim) to the firmware SB db allow list.

@mikebeaton Thank you very much ! Is that the only way? Can you give me a hint, which linux-tools can I use to add a test-certificate to db?

KeyTool.efi which is included in the efitools package, or your BIOS may have a section for adding/appending to this from files stored on the ESP.

@mikebeaton Thank you very much!