...
$ sbsign --key DB.key --cert DB.crt --output EmptyApplication-Riscv.efi.signed EmptyApplication-Riscv.efi
This will have Invalid PE header magic issue if use the default sbsign in ubuntu 20.04, need rebuild the sbsigntools, refer the Step 3 to solve this issue ! If no Invalid PE header magic issue then just skip Step 3.
Step 3 (Optional): Download and rebuild the latest sbsigntools
$ git clone https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
$ cd sbsigntools/
$ vim src/coff/pe.h
Make sure the RISCV64 machine is there
#define IMAGE_FILE_MACHINE_RISCV64 0x5064
$ git clone https://github.com/rustyrussell/ccan.git lib/ccan.git
$ git submodule init
$ git submodule update
$ sudo apt-get install binutils-dev gnu-efi help2man
$ ./autogen.sh
$ ./configure
$ make
$ cd ../
$ ./sbsigntools/src/sbsign --key DB.key --cert DB.crt --output EmptyApplication-Riscv.efi.signed EmptyApplication-Riscv.efi
Step 4: Update the sbsigntool to the latest one if you encounter "invalid PE header magic" issue in signing riscv64 binary
Step 3: Copy the public key to the fat disk
...
$ cp *.cer ~/src/fat/
Step 54: Enroll the PK, KEK, DB keys to the EDK2 as the Custom Secure Keys
...