Module loading needs the issuer certificate to validate the signature,
and that certificate is not embedded in the signature itself.
For now embed both the signing certificate and the root CA.
This reverts commit b91655bf3e and part
of commit 16dec97798.
The signing service is still using secure-boot-test-key-lfaraone and
we should make at least one more upload to be signed by it.