You can't. The post is still somewhat valuable, but should really not use "trustworthy."

Why can't you? The article explains how.

It's right there in the article : " In the general purpose Linux world, we use an intermediate bootloader called Shim to bridge from the Microsoft signing authority to a distribution one. "

So you need to trust Microsoft for the first keys :)

mjg59

We do that for convenience, so you can boot Linux without having to hunt through firmware menus to reconfigure them. But every machine /should/ let the user enroll their own keys[1], so users are free to shift to a different signing authority.

[1] Every machine I've ever had access to has. If anyone has an x86 machine with a Windows 8 or later sticker that implements secure boot but doesn't let you modify the secure boot key database, I have a standing offer that I'll buy one myself and do what I can to rectify this. I just need a model number and some willingness on your part to chip in if it turns out you were wrong.

Foxboron

I have been trying to improve the usability of secure boot key management on Linux for the past year by writing some libraries from scratch and sbctl. I have even started writing full integration testing with tianocore/ovmf!

https://github.com/Foxboron/sbctl

It should hopefully end up being an improvement on efitools and sbsigntools. Tried posting about this on HN but somehow it's a topic with little to no interest, strange world!