Hi, first a clarifying question:
Did you receive this warning and re-enroll (ujust enroll-secure-boot-key) before checking the output of mokutil --list-enrolled?
I want to know if the script is mis-detecting, because it should only run if 2be991e3b1 ublue kernel is missing.
Second:
2be991e3b1 ublue kernel is our new secure boot signing key which we use to sign kernels as well as kmods.
63fe4d8157 ublue akmods is older and was only used for signing kmods. This is partially addressed in this announcement Autumn update: Secure Boot users, make sure you've enrolled our secure boot key , but it’s not very clear. Also, we just added a note about the old key here: Introduction to Bluefin
We’re currently signing kernels with the new key and akmods with both keys. Eventually, we’ll drop the old key and provide instructions or automation to remove it from the list of enrolled MOKs.
Third:
I haven’t had a chance to dig deep on the different Fedora CA entries. But I don’t believe that is actually stored in the UEFI MOK list, rather it’s provided by the Fedora shim. Fedora did do their own key rotation not too long ago, so I suspect that you still have the older shim and grub in your boot partition.
You can read more about that if you wish: Manual action needed to resolve boot failure for Fedora Atomic Desktops and Fedora IoT - Fedora Magazine