I’ve never seen that dialogue before, what image are you on?
Did you have Secure boot off at some point and enabled it later after rolling the keys? Because on the image you posted it shows you have Secure Boot off and then later that it is enabled.
What is the output of command:
rpm-ostree status
No, I downloaded it with secure boot.
Okay, don’t know the specifics, but will try to explain this as best I can.
With Secure Boot, your kernel needs to receive signing keys from all kernel drivers. The reason driver makers are pushed to include stuff in the kernel (think Sony with their Dualshock controller driver or AMD’s drivers), they all immediately get signed alongside the normal kernel and you don’t notice anything.
The problem is software that breaks that chain of trust by introducing another certificate. Even though it’s innocuous, VirtualBox does this on Debian because there’s no native package signing keys in the Debian repos for the VirtualBox kernel module.
I’ve seen the NVIDIA driver so the same thing because NVIDIA is signed using the Fedora signing key, but it still reports the kernel as tainted because another certificate was technically installed, even if you cleared it in mokutil like you do on first boot in Bluefin.
Now if you don’t have an NVIDIA GPU (Intel and AMD GPUs don’t suffer this issue), this could be a problem with the way that the Bluefin signing keys are handled and this needs to be solved there. It’s also a longstanding thing in RPMFusion with NVIDIA, but I’m not sure what would need to be done or if anything can be done.
TL;DR: You’re probably fine, but spooky warnings might have been investigated already because of kernel module policies.