You register an additional key, generated by you/the installer. Ubuntu automates it as part of setup, afaik Fedora doesn't but there are instructions for it. Ubuntu generates a key during installation, then requests UEFI register it as a secure boot signing key. You reboot, UEFI will verify in pre-boot that you asked for the key to be added (usually, some BIOSes let you disable this check). DKMS will use that key to sign the modules. Since the kernel gets the UEFI allowed keys from the firmware, it will see these signed modules as valid and load them.
It's not, if a kernel was built and signed that allowed unsigned modules to be loaded that key should be revoked. The way kernel module loading works with secure boot is that modules are signed via kmodsign.
how is this possible?