@ jxhan, .......
Did you install with Secure Boot enabled or disabled.?
AFAIK, the 'grub-efi-amd64-signed package' is only needed to be downloaded and installed from the Internet if Secure Boot had been enabled, ie not needed if SB had been disabled.
Secure Boot came together with UEFI technology for the 2012-released Win 8 and was implemented by M$ on nearly all new OEM Windows computers. Secure Boot requires a bootloader to be signed by M$'s Verisign before it can be installed and the certificate signing service cost about US$100 per year. Ubuntu, Fedora, LM, etc had to pay to get their EFI bootloaders signed or approved, supposedly as non-malware. Minor Linux distros who could not afford to pay this yearly signing fee to M$'s Verisign require Secure Boot to be disabled before their bootloaders can be installed.
Initially in 2012, M$ wanted Secure Boot to be permanently enabled on new OEM Windows computers but they backed down after much opposition from the tech industry. Certain Surface devices from M$ have Secure Boot permanently enabled, eg ARM-based Surface RT. M$ will soon be introducing ARM-based Win 10 Surface devices. Will Secure Boot in such devices be permanently enabled.?
With the 2015-released Win 10, M$ told the OEMs that it is up to their discretion whether they want to have Secure Boot permanently enabled. Seems, a few of the OEMs are trying to make Secure Boot permanently enabled for their new 2017 computers by not allowing non-Windows EFI bootloaders to be installed. After much complaints from consumers, the OEMs issued BIOS firmware updates to allow the booting of non-Windows EFI bootloaders.
Most Surface devices have UEFI permanently enabled, ie cannot use Legacy BIOS mode for OS installation, purportedly required because of the Connected Standby feature for mobile devices. So, beware.