diff --git a/openEuler_ca.der b/openEuler_ca.der
new file mode 100644
index 0000000000000000000000000000000000000000..0fe8086805491fb96302947c3abfa7005b32dba1
Binary files /dev/null and b/openEuler_ca.der differ
diff --git a/shim.spec b/shim.spec
index ed13b465d430c860a42ed36f3511a3dd3462aeba..dba474d7ce01ebd04a70cb3c596b9c6c2c2c4763 100644
--- a/shim.spec
+++ b/shim.spec
@@ -21,11 +21,11 @@
 %global shimBOOT  /boot/efi/EFI/BOOT/
 
 %global enable_sm 0
-%global vendor_cert %{nil}
+%global vendor_cert %{SOURCE3}
 
 Name:	   	   shim
 Version:	   15.7
-Release:	   5
+Release:	   6
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -33,6 +33,7 @@ URL:	 	   https://github.com/rhboot/shim
 Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
+Source3:	   openEuler_ca.der
 
 Patch1:backport-CVE-2023-40546.patch
 Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@@ -56,6 +57,11 @@ Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
 Patch9005:Feature-add-tpcm-support-with-ipmi-channel.patch
 
 BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
+
+%if 0%{?openEuler_sign_rsa}
+BuildRequires: sign-openEuler
+%endif
+
 %ifarch aarch64
 BuildRequires: binutils >= 2.37-7
 %endif
@@ -111,6 +117,14 @@ cd build-%{efi_arch}
 make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all
 cd ..
 
+%if 0%{?openEuler_sign_rsa}
+echo "start sign"
+
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi
+%endif
+
 %install
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
@@ -168,6 +182,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Mon Feb 26 2024 huangzq6 <huangzhenqiang2@huawei.com> - 15.7-6
+- add signature for secureboot
+
 * Mon Feb 19 2024 jinlun <jinlun@huawei.com> -15.7-5
 - fix CVE-2023-0464