> If the build is reproducible, the signatures will match the output of future builds.
Anything that contains traces of a private key is not reproducible. The public key needs to be embedded in the kernel to be able to load the signed modules. If you distribute them without signature you can't load them due to the kernel not trusting them, if you sign them in any way with a private key they aren't reproducable since you don't want to hand out the private key. And to prevent additional random stuff being signed with the private key it gets discarded.
> If the user wants to use a custom kernel module, they’ll need to either rebuild with a new key, or turn off safe boot.
Or you can just sign the additional modules (e.g. DKMS) with the same key you sign the kernel & bootloader that you need to enroll into the UEFI anyway. It is less work on the users end and if the distro themselves wanna enable secure boot without user intervention via shim they need to do the signing stuff anyway.
Anything that contains traces of a private key is not reproducible. The public key needs to be embedded in the kernel to be able to load the signed modules. If you distribute them without signature you can't load them due to the kernel not trusting them, if you sign them in any way with a private key they aren't reproducable since you don't want to hand out the private key. And to prevent additional random stuff being signed with the private key it gets discarded.
> If the user wants to use a custom kernel module, they’ll need to either rebuild with a new key, or turn off safe boot.
Or you can just sign the additional modules (e.g. DKMS) with the same key you sign the kernel & bootloader that you need to enroll into the UEFI anyway. It is less work on the users end and if the distro themselves wanna enable secure boot without user intervention via shim they need to do the signing stuff anyway.