> If you need Secure Boot feature to be enabled, you must sign
> compiled kmod packages with your own CA.
This is what's wrong with everything. *This is not okay*. This is
intentionally a poisonous user experience because we provide no
automatic or easy way for this to be done. I understand and agree with
the reasons for why it is this way, but you can't have it both ways if
you want an easy user experience.
So you expect Fedora to provide a signing service using the Fedora
keys for anyone to abuse just so you can run UEFI with secure boot
enabled with your Nvidia GPU. I mean that's like locking the front
door right before you blow the entire back of the building off! I
strongly suspect that would be a violation of the MS secure boot
agreement (I have no idea if this actually is, just widely guessing).
Either you sign the drivers server side and auto-trust that
certificate (prebuilt kmods), or you sign the drivers device-side
(akmods) and auto-trust that certificate.
Or see my other reply for the third option which nvidia could do themselves.