diff --git a/shim.conf b/shim.conf
new file mode 100644
index 0000000000000000000000000000000000000000..39cc4ffca67a900b7ab4e061852a0774d9ed2832
--- /dev/null
+++ b/shim.conf
@@ -0,0 +1 @@
+shim
diff --git a/shim.spec b/shim.spec
index 9b02edfe0390314997ea760f4e97a599f4be07d6..b169460d88edbfec5c255c28b1727d5f2b394166 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   25
+Release:	   26
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -34,6 +34,7 @@ Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
 Source3:	   default-x509ca.der
+Source4:	   shim.conf
 
 Patch1:backport-CVE-2017-3735.patch
 Patch2:backport-CVE-2017-3737.patch
@@ -207,6 +208,10 @@ install -m 644 fb%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefi
 install -m 644 mm%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
 install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
 
+# install dnf protection config
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
 cd ..
 
 %check
@@ -220,6 +225,7 @@ make test
 %{shimefivendor}/%{bootcsv}
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
+%{_sysconfdir}/dnf/protected.d/shim.conf
 
 %files debuginfo
 %defattr(-,root,root,-)
@@ -232,6 +238,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Thu Jul 31 2025 Qin Fandong <qinfandong@kylinos.cn> - 15.6-26
+- Add shim to dnf protected packages list
+
 * Tue Feb 11 2025 fuanan <fuanan3@h-partners.com> -15.6-25
 - fix the issue that the gBS->LoadImage pointer was empty.