If your Windows has been receiving monthly updates, C:\Windows\System32\SecureBootUpdates will contain the latest versions of the GitHub files. DBXUpdateSVN.bin got bumped in Oct 2025 from SVN 5.0 to 7.0.
My update script has an option to check the MS GitHub for a newer version of both
DBXUpdate.bin &
DBXUpdateSVN.bin.
Code:
Update_UEFI-CA2023.ps1 -Revoke -Latest
The script doesn't base its check on the filesizes or timestamps, it compares the actual contents and decides if the GitHub files have updates which your current UEFI is missing (431 EFI signature hashes in DBX, and SVN 7.0). If there's no changes, it will skip over them.
You can re-run "-Revoke -Latest" at any time to force a comparison against the GitHub files.
Only
DBXUpdate.bin &
DBXUpdateSVN.bin are expected to change over the time, as the other cert .bin files are static. The Confidence Bucket and KEK databases are for the Secure Boot task's internal use, and don't matter after you've completed all the Secure Boot steps.