diff --git a/lib/libsecureboot/Makefile.inc b/lib/libsecureboot/Makefile.inc
--- a/lib/libsecureboot/Makefile.inc
+++ b/lib/libsecureboot/Makefile.inc
@@ -77,12 +77,16 @@
 # needs to be yes for FIPS 140-2 compliance
 VE_SELF_TESTS?= no
 
+CFLAGS+= -I.
+
+.if ${VE_SIGNATURE_EXT_LIST:M*sig} != ""
 # this is what we use as our trust anchor
-CFLAGS+= -I. -DTRUST_ANCHOR_STR=ta_PEM
+CFLAGS+= -DTRUST_ANCHOR_STR=ta_PEM
 
 .if ${VE_SELF_TESTS} != "no"
 XCFLAGS.vets+= -DVERIFY_CERTS_STR=vc_PEM
 .endif
+.endif
 
 # clean these up
 VE_HASH_LIST:= ${VE_HASH_LIST:tu:O:u}
diff --git a/lib/libsecureboot/openpgp/opgp_sig.c b/lib/libsecureboot/openpgp/opgp_sig.c
--- a/lib/libsecureboot/openpgp/opgp_sig.c
+++ b/lib/libsecureboot/openpgp/opgp_sig.c
@@ -339,6 +339,16 @@
 				mlen = br_sha256_SIZE;
 				hash_oid = BR_HASH_OID_SHA256;
 				break;
+			case 9:			/* sha384 */
+				md = &br_sha384_vtable;
+				mlen = br_sha384_SIZE;
+				hash_oid = BR_HASH_OID_SHA384;
+				break;
+			case 10:		/* sha512 */
+				md = &br_sha512_vtable;
+				mlen = br_sha512_SIZE;
+				hash_oid = BR_HASH_OID_SHA512;
+				break;
 			default:
 				warnx("unsupported hash algorithm: %s", hname);
 				rc = -1;
diff --git a/lib/libsecureboot/vets.c b/lib/libsecureboot/vets.c
--- a/lib/libsecureboot/vets.c
+++ b/lib/libsecureboot/vets.c
@@ -200,11 +200,13 @@
 	}
 }
 
+#ifdef VERIFY_CERTS_STR
 static void
 free_cert_contents(br_x509_certificate *xc)
 {
 	xfree(xc->data);
 }
+#endif
 
 /*
  * a bit of a dance to get commonName from a certificate
@@ -372,13 +374,15 @@
 	size_t num;
 
 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_trust_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_trust_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		num = openpgp_trust_add_buf(buf, len);
+		} else {
+			num = openpgp_trust_add_buf(buf, len);
 #endif
+		}
 	}
 	return (num);
 }
@@ -398,15 +402,17 @@
 	size_t num;
 
 	num = 0;
-	xcs = parse_certificates(buf, len, &num);
-	if (xcs != NULL) {
-		num = ve_forbidden_anchors_add(xcs, num);
+	if (len > 0) {
+		xcs = parse_certificates(buf, len, &num);
+		if (xcs != NULL) {
+			num = ve_forbidden_anchors_add(xcs, num);
 #ifdef VE_OPENPGP_SUPPORT
-	} else {
-		if (buf[len - 1] == '\n')
-			buf[len - 1] = '\0';
-		num = openpgp_trust_revoke((char *)buf);
+		} else {
+			if (buf[len - 1] == '\n')
+				buf[len - 1] = '\0';
+			num = openpgp_trust_revoke((char *)buf);
 #endif
+		}
 	}
 	return (num);
 }