Comment 7 for bug 1921387

So shim upstream has changed how sections are ordered now, such that in shim 15.4 can now be signed by either old or new sbsigntool, and it verifies correctly in either case.

However, I still think it is a good idea to upgrade to the better sbsigntool to correctly sign even the odd looking binaries. As we will probably hit similar issues when we start adding UEFI secureboot support on new arches - i.e. riscv64.

So yes, upgrading lp-signing machines once this SRU is published will be needed. But it's not an urgent request anymore in terms of building or releasing shim 15.4.