Ok, a key point here is that your dbx includes Microsoft's recent revocations of older grub versions; and an examination of the daily image shows that it's currently using an old grub signed with the old key instead of the current grub:
$ sudo kpartx -a ~/devel/iso/groovy-desktop-amd64.iso
$ sudo mount /dev/mapper/loop8p2 /mnt
$ sbattach -d /tmp/grub.sig /mnt/efi/boot/grubx64.efi
$ openssl pkcs7 -noout -inform DER -in /tmp/grub.sig -print_certs
subject=C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing
issuer=C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
Ok, a key point here is that your dbx includes Microsoft's recent revocations of older grub versions; and an examination of the daily image shows that it's currently using an old grub signed with the old key instead of the current grub:
$ sudo kpartx -a ~/devel/ iso/groovy- desktop- amd64.iso boot/grubx64. efi
$ sudo mount /dev/mapper/loop8p2 /mnt
$ sbattach -d /tmp/grub.sig /mnt/efi/
$ openssl pkcs7 -noout -inform DER -in /tmp/grub.sig -print_certs
subject=C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing
issuer=C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
$ sudo umount /mnt iso/groovy- desktop- amd64.iso
$ sudo kpartx -d ~/devel/
$
This is not a bug in grub but in the construction of the daily images, which apparently do not automatically track the current grub.