I have not looked at how MS implemented UEFI signing but I don't understand.
Looking at sysdev.microsoft.com, it looks like you need an Authenticode certificate in the Verisign > Microsoft > ... > You chain. Exactly the same you get when you want to sign Windows drivers.
I do get my certificate and I do sign my Windows drivers, I don't need to send them to Microsoft :-?
Re: Certificate instead of shim code with embedded signature
Looking at sysdev.microsoft.com, it looks like you need an Authenticode certificate in the Verisign > Microsoft > ... > You chain. Exactly the same you get when you want to sign Windows drivers.
I do get my certificate and I do sign my Windows drivers, I don't need to send them to Microsoft :-?