You do not need to sign the kernel, It is already signed.
The shim, which authenticates to the bios secure boot , contains a signature and a recent update of the signature key from microsoft in bios (and invalidation of the older key) is the cause of this. The user cannot sign anything to match the keys provided from microsoft (in bios and in the newest shim files)
You will need to first disable secure boot, then get everything updated, then and only then will you be able to enable secure boot again.
I think that doing sudo dnf reinstall grub2-efi* should update the shim packages but it may be necessary to first remove them (everything under /boot/efi/EFI/fedora/) then do sudo dnf reinstall grub2-efi* grub2-common so everything gets installed new. The second command will reinstall and rebuild everything under /boot/efi/EFI/fedora.
Sometimes a reinstall only verifies files exist instead of always writing them new.