Enable shim.efi support

[noryb009]

In #10, the code to use shim.efi was added, but later disabled in 8d64cba5b00272cdd4d0516e54add87d52043881. There are currently a lot of steps one need to do to whitelist the key used to sign efi files, and the steps are not super clear.

IIRC, there is a Linux-only tool that makes the keytool.efi steps easier: it asks the user if they want to enroll a key instead of making the user go find the key on their hard drive. This tool (at least the relevant part) would need to be ported to Windows and integrated.