Hi @dgibson
I think you’re spot on with “files are signed with a different key”. Please have a look at Add SecureBoot support for arbitrary distributions. Maybe my colleage can give you a short update on the effort to rework secure boot in Foreman or other small hints. cc @Jan