What is going on with Secure Boot in c9s?

So I have a CentOS 9 iso, and all of a sudden it started booting fine in VMware Workstation and my host with Secure Boot. Normally it would cause a security violation error. I thought it was my failed attempts to add the key to my system using PowerShell, but after resetting the keys in UEFI it still works. Have to test in KVM (using Windows right now, can’t right now) and see if it works there. KVM used to say Access Denied. KVM and TianoCore says Access Denied. Using an HP laptop.

Ran mokutil --reset and it still is working. They really must have fixed something then.

Tested KVM and the issue still persists.

Microsoft update the SBAT a few days ago, import for secure boot.
Not sure if that made the difference.

The SBAT update was probably part of a Secure Boot key update, but the CentOS UEFI key signed by Microsoft expired in 2021 so it is likely that many firmwares don’t check for expiration dates. Which would make sense, a PC could turn into a brick if the video driver expired. After installing the marketplace certificate, Windows is saying it’s OK despite it being expired (btw, you can open the Digital Signatures tab on an EFI file in Windows too):

Meanwhile there is a CentOS certificate which appears to be what shim checks for:

I believe the release engineers are responsible for the shim package, and they should probably refresh the Microsoft-trusted keys to make CentOS Stream work on more hardware.

This SRPM contains the files.

There seems to be no official way to handle expired certificates, so it looks like it depends on the firmware vendor.

There is more info on sbat and secure boot here on Captcha Check