1) For newer pvops kernels we can use kernel.org sign files that are signed
with a new (uncompromised, at least not known to be compromised yet) key
2) For older kernel, we need to use hash, as the kernel.org decided not to
release update signature with a new key.
In any case, use hash-based verification additionally, try to minimize trust put
into kernel.org people...
