Module loading needs the issuer certificate to validate the signature, and that certificate is not embedded in the signature itself. For now embed both the signing certificate and the root CA.