This script should ensure that VMware modules will be rebuilt and signed for Secure boot when a kernel package is updated.
Copy the script below to /etc/kernel/postinst.d/vmware and make it executable.
#!/bin/sh -e
export LANG=C
command -v vmware-modconfig >/dev/null 2>&1 || exit 0
version="$1"
# passing the kernel version is required
if [ -z "${version}" ]; then
echo >&2 "W: initramfs-tools: ${DPKG_MAINTSCRIPT_PACKAGE:-kernel package} did not pass a version number"
exit 2
fi
# avoid running multiple times
if [ -n "$DEB_MAINT_PARAMS" ]; then
eval set -- "$DEB_MAINT_PARAMS"
if [ -z "$1" ] || [ "$1" != "configure" ]; then
exit 0
fi
fi
GCC="$(vmware-modconfig --console --get-gcc)"
echo "==== Building vmmon ===="
vmware-modconfig --console --build-mod -k "${version}" vmmon "$GCC"
[ -f /var/lib/shim-signed/mok/MOK.priv ] && kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "/lib/modules/${version}/misc/vmmon.ko"
echo "==== Building vmnet ===="
vmware-modconfig --console --build-mod -k "${version}" vmnet "$GCC"
[ -f /var/lib/shim-signed/mok/MOK.priv ] && kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "/lib/modules/${version}/misc/vmnet.ko"
echo "==== Running depmod ===="
if [[ -f "/boot/System.map-${version}" ]]; then
depmod -a "${version}" -F "/boot/System.map-${version}"
else
depmod -a "${version}"
fi