diff --git a/.gitmodules b/.gitmodules
index 4e5d47a..d20fce8 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -2,3 +2,6 @@
 	path = gnu-efi
 	url = https://github.com/rhboot/gnu-efi
 	branch = shim-15.6
+[submodule "kernelcare-contrib/edk2-pytool-extensions"]
+	path = kernelcare-contrib/edk2-pytool-extensions
+	url = https://github.com/tianocore/edk2-pytool-extensions.git
diff --git a/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_aarch64.efi b/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_aarch64.efi
new file mode 100644
index 0000000..f21f4ab
Binary files /dev/null and b/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_aarch64.efi differ
diff --git a/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_x86_64.efi b/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_x86_64.efi
new file mode 100644
index 0000000..5690243
Binary files /dev/null and b/kernelcare-build-2026-06-04/SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_x86_64.efi differ
diff --git a/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_aarch64.efi b/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_aarch64.efi
new file mode 100644
index 0000000..b90dd52
Binary files /dev/null and b/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_aarch64.efi differ
diff --git a/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_x86_64.efi b/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_x86_64.efi
new file mode 100644
index 0000000..d5bc4a6
Binary files /dev/null and b/kernelcare-build-2026-06-04/SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_x86_64.efi differ
diff --git a/kernelcare-build-2026-06-04/SignedBy_dual/info.txt b/kernelcare-build-2026-06-04/SignedBy_dual/info.txt
new file mode 100644
index 0000000..a949bb4
--- /dev/null
+++ b/kernelcare-build-2026-06-04/SignedBy_dual/info.txt
@@ -0,0 +1,27 @@
+## 2011 signature comes first according to MS recommendations.
+#
+# pesign -S -i shim_certificate_kernelcare_x86_64.efi
+---------------------------------------------
+certificate address is 0x7fb856663808
+Content was not encrypted.
+Content is detached; signature cannot be verified.
+The signer's common name is Microsoft Windows UEFI Driver Publisher
+No signer email address.
+No signing time included.
+There were certs or crls included.
+---------------------------------------------
+certificate address is 0x7fb856665e30
+Content was not encrypted.
+Content is detached; signature cannot be verified.
+The signer's common name is Microsoft UEFI CA 2023 signer
+No signer email address.
+No signing time included.
+There were certs or crls included.
+---------------------------------------------
+
+---
+# dual signature in a nutshell:
+cp SignedBy_MSFT2011UEFICA/shim_certificate_kernelcare_aarch64.efi .
+pesign -i SignedBy_MSFT2023UEFICA/shim_certificate_kernelcare_aarch64.efi -e shim_certificate_kernelcare_aarch64.efi.sig
+pesign -i shim_certificate_kernelcare_aarch64.efi -o shim_certificate_kernelcare_aarch64.efi.dual -m shim_certificate_kernelcare_aarch64.efi.sig
+mv shim_certificate_kernelcare_aarch64.efi.dual shim_certificate_kernelcare_aarch64.efi
diff --git a/kernelcare-build-2026-06-04/SignedBy_dual/shim_certificate_kernelcare_x86_64.efi b/kernelcare-build-2026-06-04/SignedBy_dual/shim_certificate_kernelcare_x86_64.efi
new file mode 100644
index 0000000..b2fd92b
Binary files /dev/null and b/kernelcare-build-2026-06-04/SignedBy_dual/shim_certificate_kernelcare_x86_64.efi differ
diff --git a/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.efi b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.efi
new file mode 100644
index 0000000..b52e162
Binary files /dev/null and b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.efi differ
diff --git a/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.log b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.log
new file mode 100644
index 0000000..4257e4d
--- /dev/null
+++ b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_aarch64.log
@@ -0,0 +1,31 @@
++ efisecdb -a -g f77d6619-1cc1-471b-ba03-efbae888d268 -c kernelcare-contrib/kernelcare_pub_longterm_2032.der -o 01.esl
++ efisecdb -a -g 73c0f53d-7043-43dd-9455-e73ee1a10c32 -c kernelcare-contrib/kernelcare_pub.der -o 02.esl
++ cat 01.esl 02.esl
++ yum list
+++ uname -m
+++ uname -m
++ grep -e '^gcc.aarch64' -e '^binutils.aarch64'
+binutils.aarch64                                     2.35.2-72.el9                         @baseos   
+gcc.aarch64                                          11.5.0-14.el9.alma.1                  @appstream
++ make update all
+git submodule update --init --recursive
+gcc -O0 -g3 -fPIC -Werror -Wall -Wextra -fshort-wchar -fno-merge-constants -ffreestanding -fno-stack-protector -fno-stack-check --std=gnu11 -DCONFIG_aarch64 -I/work/kernelcare-certwrapper/gnu-efi//inc -I/work/kernelcare-certwrapper/gnu-efi//inc/aarch64 -I/work/kernelcare-certwrapper/gnu-efi//inc/protocol -ffreestanding -I/usr/lib/gcc/aarch64-redhat-linux/11/include -DVENDOR_DB -c -o certwrapper.o certwrapper.c
+gcc -O0 -g3 -fPIC -Werror -Wall -Wextra -fshort-wchar -fno-merge-constants -ffreestanding -fno-stack-protector -fno-stack-check --std=gnu11 -DCONFIG_aarch64 -I/work/kernelcare-certwrapper/gnu-efi//inc -I/work/kernelcare-certwrapper/gnu-efi//inc/aarch64 -I/work/kernelcare-certwrapper/gnu-efi//inc/protocol -ffreestanding -I/usr/lib/gcc/aarch64-redhat-linux/11/include -DVENDOR_DB -x c -c -o sbat_data.o /dev/null
+objcopy --add-section .sbat=/work/kernelcare-certwrapper/data/sbat.csv \
+	--set-section-flags .sbat=contents,alloc,load,readonly,data \
+	sbat_data.o
+gcc -nostdlib -fPIC -Wl,--warn-common -Wl,--no-undefined -Wl,-shared -Wl,-Bsymbolic -L/usr/lib64 -L/work/kernelcare-certwrapper/gnu-efi/ -Wl,--build-id=sha1 -Wl,--hash-style=sysv  -o certwrapper.so certwrapper.o sbat_data.o  \
+	/usr/lib/gcc/aarch64-redhat-linux/11/libgcc.a \
+	-T /work/kernelcare-certwrapper/elf_aarch64_efi.lds
+/usr/bin/ld: warning: certwrapper.so has a LOAD segment with RWX permissions
+objcopy -j .text  -j .reloc  -j .db  -j .sbat  \
+	   --file-alignment 512 --section-alignment 4096 -D \
+	   --strip-unneeded 	 --set-section-alignment .db=512 --set-section-flags .db=alloc,contents,load,readonly,data --add-section .db="db.esl" --change-section-address .db=0x1b000 \
+	   --target efi-app-aarch64 certwrapper.so certwrapper.efi
++ mv certwrapper.efi kernelcare-build/shim_certificate_kernelcare_aarch64.efi
++ python -m edk2toolext.image_validation --set-nx-compat -i kernelcare-build/shim_certificate_kernelcare_aarch64.efi
++ python -m edk2toolext.image_validation -p APP -i kernelcare-build/shim_certificate_kernelcare_aarch64.efi
+INFO - Overall Result: [PASS]
++ python -m edk2toolext.image_validation --get-nx-compat -i kernelcare-build/shim_certificate_kernelcare_aarch64.efi
+INFO - True
++ true
diff --git a/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.efi b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.efi
new file mode 100644
index 0000000..f545284
Binary files /dev/null and b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.efi differ
diff --git a/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.log b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.log
new file mode 100644
index 0000000..11be9ec
--- /dev/null
+++ b/kernelcare-build-2026-06-04/shim_certificate_kernelcare_x86_64.log
@@ -0,0 +1,30 @@
++ efisecdb -a -g f77d6619-1cc1-471b-ba03-efbae888d268 -c kernelcare-contrib/kernelcare_pub_longterm_2032.der -o 01.esl
++ efisecdb -a -g 73c0f53d-7043-43dd-9455-e73ee1a10c32 -c kernelcare-contrib/kernelcare_pub.der -o 02.esl
++ cat 01.esl 02.esl
++ yum list
+++ uname -m
+++ uname -m
++ grep -e '^gcc.x86_64' -e '^binutils.x86_64'
+binutils.x86_64                                      2.35.2-72.el9                         @baseos   
+gcc.x86_64                                           11.5.0-14.el9.alma.1                  @appstream
++ make update all
+git submodule update --init --recursive
+gcc -O0 -g3 -fPIC -Werror -Wall -Wextra -fshort-wchar -fno-merge-constants -ffreestanding -fno-stack-protector -fno-stack-check --std=gnu11 -DCONFIG_x86_64 -I/work/kernelcare-certwrapper/gnu-efi//inc -I/work/kernelcare-certwrapper/gnu-efi//inc/x86_64 -I/work/kernelcare-certwrapper/gnu-efi//inc/protocol -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -I/usr/lib/gcc/x86_64-redhat-linux/11/include -DVENDOR_DB -c -o certwrapper.o certwrapper.c
+gcc -O0 -g3 -fPIC -Werror -Wall -Wextra -fshort-wchar -fno-merge-constants -ffreestanding -fno-stack-protector -fno-stack-check --std=gnu11 -DCONFIG_x86_64 -I/work/kernelcare-certwrapper/gnu-efi//inc -I/work/kernelcare-certwrapper/gnu-efi//inc/x86_64 -I/work/kernelcare-certwrapper/gnu-efi//inc/protocol -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -I/usr/lib/gcc/x86_64-redhat-linux/11/include -DVENDOR_DB -x c -c -o sbat_data.o /dev/null
+objcopy --add-section .sbat=/work/kernelcare-certwrapper/data/sbat.csv \
+	--set-section-flags .sbat=contents,alloc,load,readonly,data \
+	sbat_data.o
+gcc -nostdlib -fPIC -Wl,--warn-common -Wl,--no-undefined -Wl,-shared -Wl,-Bsymbolic -L/usr/lib64 -L/work/kernelcare-certwrapper/gnu-efi/ -Wl,--build-id=sha1 -Wl,--hash-style=sysv  -o certwrapper.so certwrapper.o sbat_data.o  \
+	/usr/lib/gcc/x86_64-redhat-linux/11/libgcc.a \
+	-T /work/kernelcare-certwrapper/elf_x86_64_efi.lds
+objcopy -j .text  -j .reloc  -j .db  -j .sbat  \
+	   --file-alignment 512 --section-alignment 4096 -D \
+	   --strip-unneeded 	 --set-section-alignment .db=512 --set-section-flags .db=alloc,contents,load,readonly,data --add-section .db="db.esl" --change-section-address .db=0xb000 \
+	   --target efi-app-x86_64 certwrapper.so certwrapper.efi
++ mv certwrapper.efi kernelcare-build/shim_certificate_kernelcare_x86_64.efi
++ python -m edk2toolext.image_validation --set-nx-compat -i kernelcare-build/shim_certificate_kernelcare_x86_64.efi
++ python -m edk2toolext.image_validation -p APP -i kernelcare-build/shim_certificate_kernelcare_x86_64.efi
+INFO - Overall Result: [PASS]
++ python -m edk2toolext.image_validation --get-nx-compat -i kernelcare-build/shim_certificate_kernelcare_x86_64.efi
+INFO - True
++ true
diff --git a/kernelcare-contrib/build-all.sh b/kernelcare-contrib/build-all.sh
new file mode 100755
index 0000000..160c436
--- /dev/null
+++ b/kernelcare-contrib/build-all.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+# Build shim_certificate_kernelcare for x86_64 and aarch64 in almalinux:9
+# containers (aarch64 runs under qemu-user-static) and save each .efi + .log
+# under kernelcare-build-<date>/.  Needs docker + network access.
+#
+# Run:  bash kernelcare-contrib/build-all.sh
+
+set -euo pipefail
+
+IMAGE="almalinux:9"
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+OUT="$REPO_ROOT/kernelcare-build-$(date +%Y-%m-%d)"
+
+# provisioning + build, run inside each container
+CONTAINER_SCRIPT='
+set -euxo pipefail
+dnf -y install make gcc binutils git efivar python3 python3-pip python-unversioned-command
+pip3 install --quiet pefile
+git config --global --add safe.directory "*"
+cd /work/kernelcare-certwrapper && bash kernelcare-contrib/build.sh
+'
+
+# register foreign-arch emulation once (idempotent)
+[ -e /proc/sys/fs/binfmt_misc/qemu-aarch64 ] || \
+    docker run --rm --privileged multiarch/qemu-user-static --reset -p yes >/dev/null
+
+mkdir -p "$OUT"
+for entry in x86_64:linux/amd64 aarch64:linux/arm64; do
+    arch="${entry%%:*}" platform="${entry##*:}" c="cw-${entry%%:*}"
+    echo ">>> building $arch ($platform)"
+    docker rm -f "$c" >/dev/null 2>&1 || true
+    docker run -d --name "$c" --platform "$platform" "$IMAGE" sleep infinity >/dev/null
+    docker exec "$c" mkdir -p /work
+    docker cp "$REPO_ROOT" "$c:/work/kernelcare-certwrapper"
+    docker exec "$c" bash -c "$CONTAINER_SCRIPT"
+    docker cp "$c:/work/kernelcare-certwrapper/kernelcare-build/." "$OUT/"
+    docker rm -f "$c" >/dev/null
+done
+
+echo ">>> results in $OUT"
+ls -l "$OUT"
diff --git a/kernelcare-contrib/build.sh b/kernelcare-contrib/build.sh
new file mode 100755
index 0000000..9301d68
--- /dev/null
+++ b/kernelcare-contrib/build.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# some required and extra packages:
+#   make gcc pesign nss-tools efivar
+# (or also efitools for alternatively using cert-to-efi-sig-list)
+
+# abort on first fail
+set -e
+
+# paths
+KCARE_CONTRIB_PATH="kernelcare-contrib"
+KCARE_CERT_LEGACY="$KCARE_CONTRIB_PATH/kernelcare_pub.der"
+KCARE_CERT_LONGTERM="$KCARE_CONTRIB_PATH/kernelcare_pub_longterm_2032.der"
+
+# cert owner GUIDs
+KCARE_CERT_LEGACY_UUID="73c0f53d-7043-43dd-9455-e73ee1a10c32"
+KCARE_CERT_LONGTERM_UUID="f77d6619-1cc1-471b-ba03-efbae888d268"
+
+# build outputs
+BUILD_DIR="kernelcare-build"
+BUILD_NAME="shim_certificate_kernelcare_`uname -m`"
+BINARY="$BUILD_DIR/$BUILD_NAME.efi"
+LOG="$BUILD_DIR/$BUILD_NAME.log"
+
+export PYTHONPATH="$KCARE_CONTRIB_PATH/edk2-pytool-extensions"
+IMAGE_VALIDATION_TOOL="python -m edk2toolext.image_validation"
+
+# cleanup
+make clean
+rm -rf *.efi *.esl $BUILD_DIR
+mkdir -p $BUILD_DIR
+
+# trace and log every command from here
+exec > "$LOG" 2>&1
+set -x
+
+# convert x509 format to an EFI Signature List format, concatenate certs
+#
+# Note: place LONGTERM as the 1st one so the shim binaries which lack
+#  2daf1db (multiple ESLs in one .db section) or
+#  ea0f9df (broken multiple shim_certificate*.efi files, fixed in 470a8cd)
+# will be able to use it even after LEGACY one expires. shim <16.1 is able
+# to import only 1st cert.
+efisecdb -a -g $KCARE_CERT_LONGTERM_UUID -c $KCARE_CERT_LONGTERM -o 01.esl
+efisecdb -a -g $KCARE_CERT_LEGACY_UUID -c $KCARE_CERT_LEGACY -o 02.esl
+cat 01.esl 02.esl > db.esl
+
+# - log used toolchain;
+# - build;
+# - validate as per KernelCare Security Assessment (2025).
+yum list | grep -e ^gcc.`uname -m` -e ^binutils.`uname -m`
+make update all
+mv certwrapper.efi $BINARY
+# set and verify IMAGE_DLLCHARACTERISTICS_NX_COMPAT for binaries
+$IMAGE_VALIDATION_TOOL --set-nx-compat -i $BINARY
+$IMAGE_VALIDATION_TOOL -p APP -i $BINARY
+# --get-nx-compat exits with the flag VALUE (1 = set, 0 = not set), not a
+# success code - just proceed.
+$IMAGE_VALIDATION_TOOL --get-nx-compat -i $BINARY || true
+
+## optional: test before providing to MS for signing
+##
+# efikeygen -d /etc/pki/pesign --ca --self-sign --nickname='kcare-uefi-test' --common-name="CN=kcare-uefi-test" --serial=00
+## export pub cert
+# certutil -L -d /etc/pki/pesign -n kcare-uefi-test -o kcare-uefi-test.der -r
+## copy to EFI folder so it will be available within UEFI
+# cp kcare-uefi-test.der /boot/efi/EFI/
+## sign and test certwrapper
+# pesign -i certwrapper.efi -o /boot/efi/EFI/rocky/shim_certificate.efi -c kcare-uefi-test -s
+##
+## reboot, enable SecureBoot, enroll DB key
+## in OVMF use:
+##   Device Manager ->
+##    Secure Boot Configuration ->
+##     Secure Boot Mode (Custom) ->
+##      Custom Secure Boot Options ->
+##       DB Options ->
+##        Enroll Signature Using File
+## Don't forget to verify if SB is enabled, e.g. via 'mokutil --sb-state'
+## Verify that all keys are imported via certwrapper and listed after reboot:
+##   mokutil --list-enrolled | egrep -i 'SHA1|Issuer'
diff --git a/kernelcare-contrib/edk2-pytool-extensions b/kernelcare-contrib/edk2-pytool-extensions
new file mode 160000
index 0000000..34d3253
--- /dev/null
+++ b/kernelcare-contrib/edk2-pytool-extensions
@@ -0,0 +1 @@
+Subproject commit 34d3253ed0077f8813394e1903c76c514277631a
diff --git a/kernelcare-contrib/kernelcare_pub.der b/kernelcare-contrib/kernelcare_pub.der
new file mode 100644
index 0000000..2f834dc
Binary files /dev/null and b/kernelcare-contrib/kernelcare_pub.der differ
diff --git a/kernelcare-contrib/kernelcare_pub_longterm_2032.der b/kernelcare-contrib/kernelcare_pub_longterm_2032.der
new file mode 100644
index 0000000..20c650c
Binary files /dev/null and b/kernelcare-contrib/kernelcare_pub_longterm_2032.der differ