The certificate is a bit odd: Version: 3 (0x2) Serial Number: 2574709492 (0x9976f2f4) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Fedora Secure Boot CA Validity Not Before: Oct 10 17:14:58 2012 GMT Not After : Jan 10 17:14:58 2013 GMT Subject: CN=Fedora Secure Boot CA Subject Public Key Info: [...] X509v3 extensions: Netscape Cert Type: Object Signing CA X509v3 Key Usage: Certificate Sign, CRL Sign [...] It's too short-lived, Basic Constraints are not set, and the (mostly meaningless) self-signature should use SHA-256 (because that's the hash algorithm mandated throughout the UEFI specification).
I've attached the wrong file here. Sorry. Will update shortly with the correct one.
Created attachment 635698 [details] Actual updated certificate.
It should be noted, though, that nothing in secure boot seems to care about any of: Basic Constraints, Auth Key Id, Subject Key Id, or Validity dates. To a certain degree this seems to be correct - those fields aren't necessary for validation of a signature, and the system clock is something that can be set by an attacker. SHA-256 is clearly what we need to have there, as there's no (current) guarantee that anything else will be implemented in system firmware.