On 01/22/2016 11:11 AM, John R Pierce wrote: > if you can insert a custom Machine Owner Key into this keyring, then > anyone with sufficient ingenuity can, too. which renders the whole > signature thing moot, other than as another step to be cracked. I'm not sure you understand mokutil. You do know that in order to enroll a key you must be physically present at the console before the kernel boots, right? In order to enroll a key, you must have admin access in the OS, and physical access to the hardware. Outside of an immutable key database, I think that's nearly as secure as it's possible to get.