diff --git a/fedora-ca.cer b/fedora-ca.cer
index 1ddde77..b81707b 100644
Binary files a/fedora-ca.cer and b/fedora-ca.cer differ
diff --git a/mokutil-correct-moklistrt-size.patch b/mokutil-correct-moklistrt-size.patch
new file mode 100644
index 0000000..2f3bcef
--- /dev/null
+++ b/mokutil-correct-moklistrt-size.patch
@@ -0,0 +1,54 @@
+From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
+Return-Path: jwboyer@redhat.com
+Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
+ zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
+ zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
+ 11:12:04 -0500 (EST)
+Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
+	by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
+	for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
+Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
+	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
+	Tue, 11 Dec 2012 11:12:03 -0500
+Date: Tue, 11 Dec 2012 11:12:01 -0500
+From: Josh Boyer <jwboyer@redhat.com>
+To: pjones@redhat.com
+Cc: mjg59@srcf.ucam.org
+Subject: [PATCH] Fix SignatureSize field when importing a new cert
+Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
+Status: RO
+Content-Length: 842
+Lines: 25
+
+The SignatureSize field should be the length of the certificate plus
+16 per the UEFI spec.  Remove the extraneous addition of
+sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
+in MokListRT are parsable.
+---
+ src/mokutil.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
+index ca46488..f94aee4 100644
+--- a/mokutil-0.1.0/src/mokutil.c
++++ b/mokutil-0.1.0/src/mokutil.c
+@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
+ 		CertList->SignatureListSize = sizes[i] +
+ 		   sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
+ 		CertList->SignatureHeaderSize = 0;
+-		CertList->SignatureSize = sizes[i] +
+-			sizeof(EFI_SIGNATURE_DATA) + 16;
++		CertList->SignatureSize = sizes[i] + 16;
+ 		CertData->SignatureOwner = SHIM_LOCK_GUID;
+ 
+ 		fd = open (files[i], O_RDONLY);
+-- 
+1.8.0.1
+
+
diff --git a/shim.spec b/shim.spec
index a5d5fa8..8c565bb 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,6 +1,6 @@
 Name:           shim
 Version:        0.2
-Release:        2%{?dist}.1
+Release:        3%{?dist}
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
@@ -24,6 +24,7 @@ Source3:	dbx.esl
 
 Patch0:		0001-Fix-grub-path.patch
 Patch1:		0002-Remove-extraneous-debug-code.patch
+Patch2:		mokutil-correct-moklistrt-size.patch
 
 BuildRequires: gnu-efi git openssl-devel openssl
 BuildRequires: pesign >= 0.99-9
@@ -60,13 +61,13 @@ under secure boot environments.
 
 %prep
 %setup -q -n shim-%{version}
+%setup -q -a 2 -D -T
 git init
 git config user.email "shim-owner@fedoraproject.org"
 git config user.name "Fedora Ninjas"
 git add .
 git commit -a -q -m "%{version} baseline."
 git am %{patches} </dev/null
-%setup -q -a 2 -D -T
 
 %build
 %define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
@@ -104,6 +105,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 /usr/share/man/man1/mokutil.1.gz
 
 %changelog
+* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Fix mokutil's idea of signature sizes.
+
 * Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
 - Fix secure_mode() always returning true