On the side note: it is Microsoft that signs one of Linux packages now. We seem to have made one more step away from “our” computers being _our computers_. Am I wrong?
Secure booting using UEFI requires that the code is signed - that is the "secure" bit. Microsoft are the CA for that signing. There's nothing sinister about it, they aren't signing the RPM package just one of the bits of code in the package. I seem to remember that Microsoft were the most vocal advocates for secure booting to get around boot sector viruses and in order to facilitate a more universal uptake they committed to signing any UEFI boot code from other OSes so long as it came from a bona fide source.
You don't have to use UEFI secure booting - most machines can fall back to legacy booting using BIOS settings. If you do that, you won't use any Microsoft signed code.
I haven't looked in detail at the bug this all was supposed to fix, but I think it had the capability of by-passing the UEFI security checking, hence why the release of the advisory was delayed until the OSes were patched and why there was a scramble to get everything out in time. It's a nasty bug and was difficult to fix from what I've heard.
P.