Re: sign your own software
No, it's a GPL issue. Anyone can add keys, assuming you're not buying from one of the aforementioned OEMs who lock down UEFI's Secure Boot options (which is actually a breach of the Windows certification - the options have to be left open, allowing both custom mode [adding your own keys] and turning it off entirely).
The problem is GRUB, as GPL software, cannot include baked-in keys. The GPL explicitly precludes one from distributing a binary-only version of the program with the secret key baked in. The only "proper" way to meet the requirements of the GPL and UEFI would be to provide a signed bootloader binary, while also providing the plaintext sourcecode, revealing the private key to all and sundry, of course making it utterly worthless. Were software authors using a more permissive license, they would be fully able to publish the bulk of the source code without a key, and provide a signed, official binary compatible with secure boot - even one signed with MS's keys to make the whole thing seamless for non-savvy users.
And, strangely enough you'll find this is exactly the approach taken by both the shim method and Fedora's method. Neither are distributing their bootloaders' source code with the keys included.
And you know what? At the end of the day, signed binaries are quite nice to have.