Because patching /usr/sbin/dkms after every update quickly gets old, i found another workaround by putting this into /etc/dkms/framework.conf:
==== do_signing=1 check_the_mok_key() { case "${KBUILD_SIGN_PIN-}" in [Nn][oO]) return 0;; esac KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN-}" \ openssl rsa -in "$mok_signing_key" \ -passin env:KBUILD_SIGN_PIN -check -noout || return } ask_for_mok_password() { until check_the_mok_key; do stty -echo printf "\nEnter passphrase for %s (type 'no' to cancel):" \ "$mok_signing_key" IFS='' read -r KBUILD_SIGN_PIN || KBUILD_SIGN_PIN=no stty echo done } kmodsign() { ask_for_mok_password < /dev/tty > /dev/tty 2>&1 KBUILD_SIGN_PIN="${KBUILD_SIGN_PIN-}" "$sign_file" "$@" } ==== Hopefully this will be resolved in the future and this workaround will no longer be necessary.