Can’t public-key verification be used for third party modules?

Oh, that's a good point. I had assumed that since DKMS modules are built after the kernel on which they depend that this couldn't work, but you're right that you could generate a key, embed the public key in the kernel, and then sign the DKMS build with the private key.