Hello,
A recent update has left my system unable to boot with the following messages:
error: bad shim signature.
error: you need to load the kernel first.
The only way to boot currently is to disable secure boot in the bios, or go back 3 or so versions.
I searched a bit, and found some information about signed keys, but nothing that seemed to apply directly.
Latest version: (6.15.8-1.e19.elrepo.x86_64) 9.6 Sage Margay
Last working version: (5.14.0-570.28.1.e19_6.x86_64) 9.6 Sage Margay
Hi @mynd!
What you can try:
1. Since version (5.14.0-570.28.1.el9_6.x86_64) worked before, you can select it from the GRUB menu and set it as default until you resolve the Secure Boot issue.
2. Check if ELRepo provides a public signing key for the new shim or kernel. If so, you can import it into MOK using:
mokutil --import my_key.der
3. dnf reinstall shim-x64 grub2-efi-x64
4. Temporarily disable Secure Boot in BIOS/UEFI until an updated, properly signed kernel/shim is released.
All the best! 
That was no “update”!
The kernel-5.14.0-570.28.1.el9_6 is the latest AlmaLinux kernel.
The 6.15.8-1.el9.elrepo is package kernel-ml from ELRepo. It is not a on update; it is a replacement. If you replace kernel, then the distro is not really “AlmaLinux” any more.
ELRepo does two things:
mokutil --import) to allow SecureBoot load themThe boot process is something like:
The X is most likely Microsofts key, as “all” UEFI have it.
Install of Alma does import Alma’s key, Y, to UEFI. The shim must have a copy to load kernel.
Third-party kernel modules (e.g. from ELRepo, NVidia, etc) use their own key, Z, that you have to import.
In order for ELRepo to sign their kernel, they logically would have to provide shim that accepts their key, and they would have to get that shim signed (by Microsoft?). That is beyond their scope.
Super-informative! Thanks for the help and explanations 