I believe this is a bug in sbsigntool, not in the shim data. The expired signature is not in the path to the CA, my understanding is that this is present only as part of the timestamping service.
I believe this is a bug in sbsigntool, not in the shim data. The expired signature is not in the path to the CA, my understanding is that this is present only as part of the timestamping service.