For technical reasons, all of my tools broke with all versions of TianoCore after r14141 (Update the DxeImageVerificationLib to support for Authenticode-signed UEFI images with multiple signatures.) What actually happened is that the multi signature verification code got stricter on the alignment requirements for signatures. The current sbsigntools (and even pesign) simply slapped the signature block immediately at the end of the binary. Unfortunately this meant that most of the time it wasn’t actually aligned on a long word boundary meaning that most signatures with old versions of sbsign and pesign start giving security violations on new TianoCore platforms. I’ve fixed sbsigntools to pad the end of the binary and ensure that the signature block always starts on a long word alignment and verified that the signatures now work again with the latest versions of TianoCore.
I’ve updated the OVMF, efitools and sbsigntools packages with fixes for this problem and they should now be propagating through the system.