You can get a signed kernel by signing the kernel. It doesn't really matter how it was built as long as you can insert the extra step to sign it after. Any Authenticode signing tool will work, for example:
- signtool
- osslsigncode
- pesign
However, keep in mind that typical PCs only come with one or two approved signers (Microsoft and sometimes Canonical).
Everything else has to go through a proxy mechanism; either you submit every single kernel for Microsoft to sign (unrealistic), or you use Red Hat's shim
(which is already signed) to chain-load your kernel, or of course you install your own Secure Boot keys as a "trusted signer" in your EFI firmware, which is only possible by going through the firmware settings interface.
So if you fully control the target hardware, you could generate your own KEK/PK/db keypairs and install them, then just have the build process run signtool
(using the db key) on vmlinuz or any other .efi executable involved.
(The Arch Linux Wiki instructions may be relevant. The keypairs are self-signed X.509 certificates for "Code signing" usage – they don't have to come from a commercial CA.)
If you are not in full control of the hardware, then you will need to involve Shim in your boot process, which means getting "someone else's" copy of a signed Shimx64.efi that is already Microsoft-signed (such as the Fedora/RedHat one) and having it start your vmlinuz.efi or your grubx64.efi. You will not be able to achieve completely seamless Secure Boot like what you have with Ubuntu (who has a version of Shim that will only "seamlessly" boot kernels signed by Ubuntu); there will be at least one step to have Shim enroll your SB signing key as a "MOK".
(It's Shim that implements "MOKs" (Machine Owner Keys); UEFI itself has no such concept.)