The better thing to do for this case is to only check the code signing certificate's validity at install time rather than every time you run the code. Then you don't have to have boundlessly growing CRLs. In general checking code signatures at run-time is just a perf-killing waste of resources. Ideally secure, measured boot would also measure the OS filesystems you're booting, and that kinda requires a content-addressed storage copy-on-write type filesystem such that you can seal boot/keys to a root hash of the root filesystem, but here we are in 2025 and we don't quite have that yet. ZFS comes closest, though it's not a CAS FS, but somehow the last mile of this never got implemented by anyone in any operating system.