Signing yes. If you can create that code to do singing, please turn on. Otherwise, meanwhile please turn off.
This also needs to integrated with DKMS.
Since the essence of DKMS is a single contained bash script, we could safely ship a newer version which supports module signing. See: enforce kernel module software signature verification [module signing] / disallow kernel module loading by default - #53 by Patrick
But even while the newer version of DKMS supports module singing, modules such as virtualbox do not make use of it. Automated module signing during kernel upgrade and module upgrade is still a non-trivial challenge.
When modules are upgraded, these need to be recompiled. This happens automatic by DKMS (but not yet with module signing). Therefore we cannot delete the signing key. But we could restrict signing key access with appaprmor-profile-everything.