This is how the signed module demo works:

1. Proc that accesses a table
   No real users have access to the table

2. Create cert
   Use cert to sign the proc
     ADD SIGNATURE TO procname ...

3. Create user mapped to the cert
   GRANT SELECT on the table to the "certuser"

4. GRANT EXECUTE on the proc to a real user
   It works.