If you're flashing via the UEFI interface itself (which can have a very fancy terminal), the firmware might need to be signed. I bet Microsoft will not share the signing keys.
That is only used to check firmware signatures, not UEFI binary signatures. You should be able to add keys to DB and KEK at your leisure. Also Microsoft has a paid program to sign UEFI binaries (that's why you can boot most Linux distributions on secure boot hardware).
