In #10, the code to use shim.efi was added, but later disabled in 8d64cba. There are currently a lot of steps one need to do to whitelist the key used to sign efi files, and the steps are not super clear.
IIRC, there is a Linux-only tool that makes the keytool.efi steps easier: it asks the user if they want to enroll a key instead of making the user go find the key on their hard drive. This tool (at least the relevant part) would need to be ported to Windows and integrated.
In #10, the code to use shim.efi was added, but later disabled in 8d64cba. There are currently a lot of steps one need to do to whitelist the key used to sign efi files, and the steps are not super clear.
IIRC, there is a Linux-only tool that makes the keytool.efi steps easier: it asks the user if they want to enroll a key instead of making the user go find the key on their hard drive. This tool (at least the relevant part) would need to be ported to Windows and integrated.