Comment 15 for bug 1892754

Ok, a key point here is that your dbx includes Microsoft's recent revocations of older grub versions; and an examination of the daily image shows that it's currently using an old grub signed with the old key instead of the current grub:

$ sudo kpartx -a ~/devel/iso/groovy-desktop-amd64.iso
$ sudo mount /dev/mapper/loop8p2 /mnt
$ sbattach -d /tmp/grub.sig /mnt/efi/boot/grubx64.efi
$ openssl pkcs7 -noout -inform DER -in /tmp/grub.sig -print_certs
subject=C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing

issuer=C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority

$ sudo umount /mnt
$ sudo kpartx -d ~/devel/iso/groovy-desktop-amd64.iso
$

This is not a bug in grub but in the construction of the daily images, which apparently do not automatically track the current grub.