Signing with specific MOK key current installation Ubuntu 18.04

I’ve been allowing the current installers to detect secure boot and sign and enroll MOK keys during installation.

Unfortunately, I just setup a new workstation that has a BIOS bug that causes mokutil to fail every command. :(

I did figure out how to manually enroll a key in the BIOS setup and enable secure boot. But now need to sign everything with that specific key on that particular machine.

I want to update to 410.78 (and later) which works well on the other two machines, but need to control the signing process on the workstation I just setup.

If I download and run the latest CUDA installers, how do I either get it to use my key, or retrieve it’s key so I can manually install it into the bios?

Use the kernel’s signing facility: https://www.kernel.org/doc/html/v4.15/admin-guide/module-signing.html

Right - I know how to manually sign kmods, but I was wondering more about the specific process for the CUDA installer. It will automatically sign things and enroll the keys in the BIOS during installation, which is pretty handy.

The issue is with the current BIOS for certain ASUS workstation boards. It breaks the linux mokutil command, so that you can’t enroll the key anymore from Linux. The mokutil command fails all commands. Some other boards and laptop have this issue as well. It is a BIOS problem (or more rightly, a UEFI problem).

I can enroll the key manually, by putting it on a USB stick and entering the UEFI bios setup and manually enrolling it.

I already have a key there in my machine. I want the NVidia driver installer to use my specific key when I load the next driver update or CUDA installer, rather than trying to generate its own.

Ok, I misunderstood.
If you’re using the .run installer, at least the driver installer has --module-signing* options. Use the -A option to get the help for advanced options.