Comment 5 for bug 1921387

Verifying existing binaries with new sbsigntool:

# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/fwupx64.efi.signed
# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-amd64/current/control/uefi.crt
# sbverify --cert ./uefi.crt ./fwupx64.efi.signed
warning: data remaining[63352 vs 71400]: gaps between PE/COFF sections?
Signature verification OK

# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/fwupdate-i386/current/fwupia32.efi.signed
# sbverify --cert ./uefi.crt ./fwupia32.efi.signed
warning: data remaining[54648 vs 63512]: gaps between PE/COFF sections?
Signature verification OK

# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/signed/linux-amd64/current/signed.tar.gz -O linux-signed.tar.gz
# tar xvf linux-signed.tar.gz
# sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-generic.efi.signed
warning: data remaining[8249064 vs 8249080]: gaps between PE/COFF sections?
Signature verification OK
# sbverify --cert uefi.crt 4.15.0-20.21/vmlinuz-4.15.0-20-lowlatency.efi.signed
warning: data remaining[8298216 vs 8298232]: gaps between PE/COFF sections?
Signature verification OK

# wget http://archive.ubuntu.com/ubuntu/dists/bionic/main/uefi/grub2-amd64/current/grubx64.efi.signed
# sbverify --cert uefi.crt grubx64.efi.signed
Signature verification OK

# wget http://ports.ubuntu.com/dists/bionic/main/uefi/grub2-arm64/current/grubaa64.efi.signed
# sbverify --cert uefi.crt ./grubaa64.efi.signed
Signature verification OK

All existing bionic signatures validate correctly. Thus the problem is really induced by gaps/ordering of the .sbat & .data sections, on arm64 with the very new sbat-capable binaries.