The last option wasn't hugely attractive, but is probably the least worst. Microsoft will be offering signing services through their sysdev portal. It's not entirely free (there's a one-off $99 fee to gain access), but it's cheaper than any realistic alternative would have been. It ensures compatibility with as wide a range of hardware as possible and it avoids Fedora having any special privileges over other Linux distributions. If there are better options then we haven't found them. So, in all probability, this is the approach we'll take. Our first stage bootloader will be signed with a Microsoft key.
My reply to this:
This is completely unacceptable to me. I'm very disappointed with Redhat.
Redhat is a billion dollar company with a large market share in the server market, therefore has a lot of influence on hardware manufacturers (a lot of server manufacturers also make laptops and desktops), therefore Redhat should have used its influence to force a solution that would be acceptable to the FOSS world.
I will NEVER buy any hardware where 'secure boot' cannot be FULLY DISABLED (either by a BIOS option or by flashing a custom BIOS or with a hardware dip-switch) and if that means I will be stuck with 2012 hardware then so be it.
I hope you all make your voice heard too!