Comment 8 for bug 1621367

here's the script for signing kernel modules of any existing kernel version

#!/bin/bash
######
# https://github.com/Canonical-kernel/Ubuntu-kernel/blob/master/Documentation/module-signing.txt
######
kernelName=`uname -r`
echo
echo "currently installed kernels:"
ls -d /usr/src/linux-headers-*
echo
echo "currently booted kernel: \"$kernelName\""
echo -n "which kernel to sign? "
read kernelName
echo $kernelName

echo
echo "signing modules for kernel \"$kernelName\" (`mokutil --sb-state`)"
echo

for module in /lib/modules/${kernelName}/updates/dkms/*.ko ; do
 echo -ne "\t-" $module
 tail -n1 $module | grep -aq '~Module signature appended~' > /dev/null
 if [ $? -eq 1 ]; then
  sudo /usr/src/linux-headers-${kernelName}/scripts/sign-file sha256 ./MOK-selfsigned-kernel-module.priv ./MOK-selfsigned-kernel-module.der ${module}
  echo " ... OK"
 else
  echo " ... skipped"
 fi
done