Comment 43 for bug 1401532

Verification-done on trusty:

ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64-signed
grub-efi-amd64-signed:
  Installed: 1.34.20+2.02~beta2-9ubuntu1.17
  Candidate: 1.34.20+2.02~beta2-9ubuntu1.17
  Package pin: 1.34.20+2.02~beta2-9ubuntu1.17
  Version table:
 *** 1.34.20+2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.34.18+2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.34.7+2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     1.34+2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64
grub-efi-amd64:
  Installed: 2.02~beta2-9ubuntu1.17
  Candidate: 2.02~beta2-9ubuntu1.17
  Package pin: 2.02~beta2-9ubuntu1.17
  Version table:
 *** 2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Verified that now the kernel signature is correctly enforced by grub, and if no kernel is signed / signed by a trusted key, the upgrade will correctly be failed to avoid leaving the system unbootable.