diff --git a/f12484869c9590682ac3253d583bf59b890bb826.patch b/f12484869c9590682ac3253d583bf59b890bb826.patch
new file mode 100644
index 0000000..11bed89
--- /dev/null
+++ b/f12484869c9590682ac3253d583bf59b890bb826.patch
@@ -0,0 +1,59 @@
+From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
+From: dann frazier <dann.frazier@canonical.com>
+Date: Wed, 12 Aug 2020 15:27:08 -0600
+Subject: sbkeysync: Don't ignore errors from insert_new_keys()
+
+If insert_new_keys() fails, say due to a full variable store, we currently
+still exit(0). This can make it difficult to know something is wrong.
+For example, Debian and Ubuntu implement a secureboot-db systemd service
+to update the DB and DBX, which calls:
+
+ ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
+
+But although this seemed to succeed on my system, looking at the logs shows
+a different story:
+
+Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
+Error writing key update: Invalid argument
+Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+---
+ src/sbkeysync.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/sbkeysync.c b/src/sbkeysync.c
+index e51f177..7748990 100644
+--- a/src/sbkeysync.c
++++ b/src/sbkeysync.c
+@@ -889,10 +889,12 @@ int main(int argc, char **argv)
+ {
+ 	bool use_default_keystore_dirs;
+ 	struct sync_context *ctx;
++	int rc;
+ 
+ 	use_default_keystore_dirs = true;
+ 	ctx = talloc_zero(NULL, struct sync_context);
+ 	list_head_init(&ctx->new_keys);
++	rc = EXIT_SUCCESS;
+ 
+ 	for (;;) {
+ 		int idx, c;
+@@ -985,10 +987,10 @@ int main(int argc, char **argv)
+ 	if (ctx->verbose)
+ 		print_new_keys(ctx);
+ 
+-	if (!ctx->dry_run)
+-		insert_new_keys(ctx);
++	if (!ctx->dry_run && insert_new_keys(ctx))
++		rc = EXIT_FAILURE;
+ 
+ 	talloc_free(ctx);
+ 
+-	return EXIT_SUCCESS;
++	return rc;
+ }
+-- 
+cgit 1.2.3-1.el7
+
diff --git a/sbsigntools.spec b/sbsigntools.spec
index 129aaa8..150891e 100644
--- a/sbsigntools.spec
+++ b/sbsigntools.spec
@@ -2,7 +2,7 @@
 
 Name:          sbsigntools
 Version:       0.9.4
-Release:       2%{?dist}
+Release:       3%{?dist}
 Summary:       Signing utility for UEFI secure boot
 License:       GPLv3+
 URL:           https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
@@ -14,6 +14,8 @@ Source1:       %{name}-mktarball.sh
 Patch0:        %{name}-no-git.patch
 # add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
 Patch1:        %{name}-gnuefi.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
+Patch2:        https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
 # same as gnu-efi
 ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
 BuildRequires: automake
@@ -80,6 +82,9 @@ make check
 %{_mandir}/man1/sbverify.1.*
 
 %changelog
+* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-3
+- don't ignore errors from sbkeysync (fixes rhbz#1955828)
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild