I've read that installing Linux on UEFI PCs requires additional steps to disable the requirement for digitally signed bootloaders.
But I thought that open source software can be digitally signed by using the private key to sign the source code and releasing the public key, and doing the same for the compiled software?
While you can sign the software this does not mean that you can store the public key needed for signature validation in the device which should do the verification. Just releasing the public key does not make it magically available on all places which need to do the verification.
In case of SecureBoot the UEFI system which needs to validate the signatures is not open source. And even if it would be open source this does not mean that systems come pre-installed with the key you used for signing. In the existing implementations some vendors allow you to store your own keys for validation and others don't. This means that every user of the signed software has either to disable SecureBoot or add the key you used for signing, if this is possible at all. Since both of these option are too complex for the average user it would be much better if one could use one of the keys already known by the implementation for signing. This of course means that you need to have access to the related private key.
The current workaround in Ubuntu is to have a small shim signed by someone which has access to the needed private key (i.e. Microsoft) and then boot the rest of the system from there. See Ubuntu Wiki: SecureBoot for the technical details.
