I think the reason you had to sign the kernel (on every update) is that you signed systemd-bootx64.efi instead of shim. shim has built in Fedora key to backdoor the Secure Boot process to trust Fedora key, even if it’s not in key db.
If you sign shim, the boot goes: shim (your key, or Microsoft) → sd-boot (Fedora) → kernel (Fedora).
But you didn’t sign it and removed the Microsoft key, the boot likely doesn’t allow shim, so it goes: sd-boot (your key) → kernel (must be your key).
I think it might be a better idea to:
- Indeed, skip the shim, modifiy UEFI boot entry to point to sd-boot
- Sign sd-boot with your key
- Add Fedora public keys[1][2] to key db along side your key
Since otherwise kernel modules and fwupd will have to be signed again as well.
EDIT:
Oh I see, shim is not installed. The boot entry already points to sd-boot.
Tried this myself, works. Used sbctl, added the fedora cert as custom, signed sd-boot with my key.