What I did.
I generated gpg keys from pureboot to boot to my OS.
Everything looks good, I can boot to OS and librem key validates that no changes into /boot partition
What I did after, inside my OS:
I factory reset my librem key (gpg --card-edit … admin, factory-reset …) , generated new keys and still pureboot (28.3) sees everything ok
Why is that?
worth noting how boot validation works.
when you are setting up pureboot, public key is being flashed into pureboot config.
so pureboot while comparing signatures, verify if files on /boot are signed with key stored in pureboot, not on the Libremkey.
try modifying grub.cfg (adding new line to config at the end, should be harmless change.
pureboot will warn you that file is wrong. , you can resign with your key, and then on next reboot you will get warning about key mismatch. signature vs key in pureboot.
you will have to replace public key stored in bios from settings menu.