diff --git a/.gitignore b/.gitignore
index a250cf7..6af0766 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/shim-12.tar.bz2
+SOURCES/shim-15.tar.bz2
diff --git a/.shim.metadata b/.shim.metadata
index d93caad..5677fcd 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1 +1 @@
-5c5a5738bd0412cb1f42ac2b9dace11c3495ed5b SOURCES/shim-12.tar.bz2
+2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2
diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
deleted file mode 100644
index 1058298..0000000
--- a/SOURCES/0001-Add-vendor-esl.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From bc1e30ee1e7940e0e70eab9afd55b6e355ef9899 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Sat, 21 Jul 2018 03:27:26 +0200
-Subject: [PATCH] Add vendor_esl
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- Makefile |  3 +++
- cert.S   | 30 ++++++++++++++++++++++++++++++
- shim.c   | 36 +++++++++++++++++++++++++++++++++++-
- 3 files changed, 68 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 6ece282..78688e0 100644
---- a/Makefile
-+++ b/Makefile
-@@ -82,6 +82,9 @@ endif
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
- 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
- endif
-+ifneq ($(origin VENDOR_ESL_FILE), undefined)
-+	CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
-+endif
- ifneq ($(origin VENDOR_DBX_FILE), undefined)
- 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
- endif
-diff --git a/cert.S b/cert.S
-index cfc4525..7ad782a 100644
---- a/cert.S
-+++ b/cert.S
-@@ -8,12 +8,18 @@ cert_table:
- #else
- 	.long	0
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+	.long	vendor_esl_priv_end - vendor_esl_priv
-+#else
-+	.long	0
-+#endif
- #if defined(VENDOR_DBX_FILE)
- 	.long	vendor_dbx_priv_end - vendor_dbx_priv
- #else
- 	.long	0
- #endif
- 	.long	vendor_cert_priv - cert_table
-+	.long	vendor_esl_priv - cert_table
- 	.long	vendor_dbx_priv - cert_table
- #if defined(VENDOR_CERT_FILE)
- 	.data
-@@ -39,6 +45,30 @@ vendor_cert_priv:
- 	.section .vendor_cert, "a", %progbits
- vendor_cert_priv_end:
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+	.data
-+	.align	1
-+	.type	vendor_esl_priv, %object
-+	.size	vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+.incbin VENDOR_ESL_FILE
-+vendor_esl_priv_end:
-+#else
-+	.bss
-+	.type	vendor_esl_priv, %object
-+	.size	vendor_esl_priv, 1
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+	.zero	1
-+
-+	.data
-+	.align 4
-+	.type	vendor_esl_size_priv, %object
-+	.size	vendor_esl_size_priv, 4
-+	.section .vendor_cert, "a", %progbits
-+vendor_esl_priv_end:
-+#endif
- #if defined(VENDOR_DBX_FILE)
- 	.data
- 	.align	1
-diff --git a/shim.c b/shim.c
-index f8a1e67..d99134f 100644
---- a/shim.c
-+++ b/shim.c
-@@ -84,14 +84,18 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
-  */
- extern struct {
- 	UINT32 vendor_cert_size;
-+	UINT32 vendor_esl_size;
- 	UINT32 vendor_dbx_size;
- 	UINT32 vendor_cert_offset;
-+	UINT32 vendor_esl_offset;
- 	UINT32 vendor_dbx_offset;
- } cert_table;
- 
- UINT32 vendor_cert_size;
-+UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT8 *vendor_cert;
-+UINT8 *vendor_esl;
- UINT8 *vendor_dbx;
- 
- /*
-@@ -1029,6 +1033,18 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 			return status;
- 		}
- 
-+		/*
-+		 * Check if there's a vendor ESL built-in
-+		 */
-+		if (vendor_esl_size &&
-+			check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
-+					     vendor_esl_size,
-+					     cert,
-+					     sha256hash) == DATA_FOUND) {
-+			status = EFI_SUCCESS;
-+			return status;
-+		}
-+
- 		/*
- 		 * And finally, check against shim's built-in key
- 		 */
-@@ -1973,6 +1989,22 @@ EFI_STATUS mirror_mok_list()
- 
- 		CertData->SignatureOwner = SHIM_LOCK_GUID;
- 		CopyMem(p, vendor_cert, vendor_cert_size);
-+	} else if (vendor_esl_size) {
-+		FullDataSize = DataSize
-+			     + vendor_esl_size
-+			     ;
-+		FullData = AllocatePool(FullDataSize);
-+		if (!FullData) {
-+			perror(L"Failed to allocate space for MokListRT\n");
-+			return EFI_OUT_OF_RESOURCES;
-+		}
-+		p = FullData;
-+
-+		if (efi_status == EFI_SUCCESS && DataSize > 0) {
-+			CopyMem(p, Data, DataSize);
-+			p += DataSize;
-+		}
-+		CopyMem(p, vendor_esl, vendor_esl_size);
- 	} else {
- 		FullDataSize = DataSize;
- 		FullData = Data;
-@@ -2606,7 +2638,7 @@ shim_init(void)
- 	set_second_stage (global_image_handle);
- 
- 	if (secure_mode()) {
--		if (vendor_cert_size || vendor_dbx_size) {
-+		if (vendor_cert_size || vendor_esl_size || vendor_dbx_size) {
- 			/*
- 			 * If shim includes its own certificates then ensure
- 			 * that anything it boots has performed some
-@@ -2706,8 +2738,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	verification_method = VERIFIED_BY_NOTHING;
- 
- 	vendor_cert_size = cert_table.vendor_cert_size;
-+	vendor_esl_size = cert_table.vendor_esl_size;
- 	vendor_dbx_size = cert_table.vendor_dbx_size;
- 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-+	vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
- 	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
- 
- 	/*
--- 
-2.18.0
-
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
deleted file mode 100644
index c0815a7..0000000
Binary files a/SOURCES/centos.esl and /dev/null differ
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index a7778ba..97117dd 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,19 +1,16 @@
 Name:           shim
-Version:        12
-Release:        2%{?dist}
+Version:        15
+Release:        1%{?dist}
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
 URL:            http://www.codon.org.uk/~mjg59/shim/
-Source0:	https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-#Source1:	centos.crt
+Source0:        https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source1:        securebootca.cer
 # currently here's what's in our dbx: # nothing.
-#Source2:	dbx-x64.esl
-#Source3:	dbx-aa64.esl
-Source4:	shim-find-debuginfo.sh
-Source5:        centos.esl
-
-Patch0:         0001-Add-vendor-esl.patch
+#Source2:       dbx-x64.esl
+#Source3:       dbx-aa64.esl
+Source4:        shim-find-debuginfo.sh
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -125,23 +122,17 @@ COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
 MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
 %ifarch aarch64
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+        MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 if [ -f "%{SOURCE3}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
-fi
-if [ -f "%{SOURCE5}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+        MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
 fi
 %else
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+        MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
-fi
-if [ -f "%{SOURCE5}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+        MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 %endif
 cd %{name}-%{version}-%{efiarch}
@@ -159,8 +150,8 @@ pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash
 install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
 install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash
 for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do
-	install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
-	install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+        install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+        install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
 done
 
 %ifarch x86_64
@@ -169,40 +160,40 @@ pesign -h -P -i shimia32.efi -h > shimia32.hash
 install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
 install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash
 for x in shimia32 mmia32 fbia32 ; do
-	install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
-	install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+        install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+        install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
 done
 cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %ifarch x86_64
-%global __debug_install_post						\
-	bash %{SOURCE4}							\\\
-		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
-		%{?_find_debuginfo_opts} 				\\\
-		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
-	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
-	mv debugfiles.list ../debugfiles-%{efiarch}.list		\
-	cd ..								\
-	cd %{name}-%{version}-ia32					\
-	bash %{SOURCE4}							\\\
-		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
-		%{?_find_debuginfo_opts}				\\\
-		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32"	\
-	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
-	mv debugfiles.list ../debugfiles-ia32.list			\
-	cd ..								\
-	%{nil}
+%global __debug_install_post                                            \
+        bash %{SOURCE4}                                                 \\\
+                %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+                %{?_find_debuginfo_opts}                                \\\
+                "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+        rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+        mv debugfiles.list ../debugfiles-%{efiarch}.list                \
+        cd ..                                                           \
+        cd %{name}-%{version}-ia32                                      \
+        bash %{SOURCE4}                                                 \\\
+                %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+                %{?_find_debuginfo_opts}                                \\\
+                "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32"  \
+        rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
+        mv debugfiles.list ../debugfiles-ia32.list                      \
+        cd ..                                                           \
+        %{nil}
 %else
-%global __debug_install_post						\
-	bash %{SOURCE4}							\\\
-		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
-		%{?_find_debuginfo_opts}				\\\
-		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
-	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
-	mv debugfiles.list ../debugfiles-%{efiarch}.list		\
-	cd ..								\
-	%{nil}
+%global __debug_install_post                                            \
+        bash %{SOURCE4}                                                 \\\
+                %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+                %{?_find_debuginfo_opts}                                \\\
+                "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+        rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+        mv debugfiles.list ../debugfiles-%{efiarch}.list                \
+        cd ..                                                           \
+        %{nil}
 %endif
 
 %files -n shim-unsigned-%{efiarch}
@@ -226,9 +217,9 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
-* Mon Jul 23 2018 Fabian Arrotin <arrfab@centos.org> - 12-2.el7.centos
-- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
-- Rebuilt with combined centos.esl (so new and previous crt)
+* Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim 15
+  Resolves: rhbz#1589961
 
 * Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
 - Update to 12-1 to work around a signtool.exe bug