diff --git a/.shim-signed.metadata b/.shim-signed.metadata
index 7300029..ca55596 100644
--- a/.shim-signed.metadata
+++ b/.shim-signed.metadata
@@ -1,4 +1,4 @@
 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz
 5d388f1f7cbb6c00fc5029f3e9ecef931953c6af SOURCES/shimaa64.efi
-ef1dd5153ae097116a870b6b3571aa1f2f99bfe7 SOURCES/shimia32.efi
-23b7889abdb236c8cd871733ba2ea7f91d543b99 SOURCES/shimx64.efi
+800e5e17f1d0770ab6eccc867898f96f5442b29a SOURCES/shimia32.efi
+0584dcb7f71fc7a665d8a6d33d5b2e7c23d8c5d7 SOURCES/shimx64.efi
diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
new file mode 100644
index 0000000..dfa7afb
Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer
deleted file mode 100644
index 4ff8b79..0000000
Binary files a/SOURCES/secureboot.cer and /dev/null differ
diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer
deleted file mode 100644
index b235400..0000000
Binary files a/SOURCES/securebootca.cer and /dev/null differ
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index 91b911e..c118298 100644
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -1,16 +1,16 @@
 Name:           shim-signed
 Version:        15
-Release:        2%{?dist}%{?buildid}
+Release:        7%{?dist}%{?buildid}
 Summary:        First-stage UEFI bootloader
-%define unsigned_release 5%{?dist}
+%define unsigned_release 7.el7_9
 
 License:        BSD
 URL:            https://github.com/rhboot/shim/
 # incorporate mokutil for packaging simplicity
 %global mokutil_version 0.3.0
 Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
-Source1:        secureboot.cer
-Source2:        securebootca.cer
+Source1:        redhatsecureboot501.cer
+Source2:        redhatsecurebootca5.cer
 Source10:       shimx64.efi
 Source11:       shimia32.efi
 Source12:       shimaa64.efi
@@ -167,9 +167,9 @@ cp %{shimsrcia32} shimia32.efi
 %endif
 %endif
 %ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi
+%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shim%{efiarchlc}-%{efidir}.efi
 %ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi
+%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501 -o shimia32-%{efidir}.efi
 %endif
 %endif
 %ifarch %{rh_signed_arches}
@@ -178,12 +178,12 @@ cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
 %endif
 %endif
 
-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
 
 %ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
-%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
+%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot501
 %endif
 
 cd mokutil-%{mokutil_version}
@@ -258,6 +258,14 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
+* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-7
+- New signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+
 * Thu Mar 21 2019 Peter Jones <pjones@redhat.com> - 15-2
 - Fix MoK mirroring issue which breaks kdump without intervention
   Related: rhbz#1649270