Secure boot fails with invalid signature on 4.18.0-477.10.1.el8_8

Attempting to boot kernel 4.18.0-477.10.1.el8_8 with secure boot enabled is resulting in a missing or invalid signature error. Is anyone else seeing this?

Is the error for any particular module, or for the kernel in general?

The kernel:
Another AlmaLinux 8.8 machine has no trouble booting that kernel. I can select the previous kernel 4.18.0-425.19.2.el8_7.x86_64 and boot that fine.

One difference, on the good machine:

# mokutil --list-enrolled | grep Subject:
        Subject: serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization, C=US, ST=Florida, O=AlmaLinux OS Foundation, CN=AlmaLinux OS Foundation
        Subject: C=US, ST=Florida, L=Fort Myers, O=AlmaLinux OS Foundation/serialNumber=5561017, CN=AlmaLinux OS Foundation/businessCategory=Private Organization/jurisdictionST=Delaware/jurisdictionC=US

on the bad machine:

# mokutil --list-enrolled | grep Subject:
        Subject: jurisdictionC=US/jurisdictionST=Delaware/postalCode=FL 33913/street=15068 Blue Bay Circle/businessCategory=Private Organization/serialNumber=83-0923043, C=US, ST=Florida, L=Fort Myers, O=Cloud Linux Software, Inc, CN=Cloud Linux Software, Inc

But I don’t recall adding any keys to the “good” machine - in fact I had to install mokutil to get the listing. But I may have installed an almalinux key on the “bad” machine.

So, whatever you do, do NOT run mokutil --set-verbosity true. It will spew LOTS of output and likely break booting.

For now I’ve disabled secure boot. I also ran mokutil --reset and perhaps that has cleared the old key? Not sure.

Now mokutil output matches that of the “good” machine - so perhaps those are just the keys needed for the new kernel? The mokutil output from another machine running the 8.7 kernel shows the what I was seeing on the “bad” machine with the 8.7 kernel so that seems to match.