The kernel modules usually are signed with a different key. That key is created at build time and its pubic key is discarded after the build (and after the modules have been signed) and the kernel uses the private key to validate the modules IIRC. That is how Archlinux enables can somewhat support Secure Boot without the user needing to sign every kernel module or firmware file (it is also the reason why all the kernel packages aren’t reproducable).