I believe that you can also embed the key in the Release file with that commit, though I've not checked yet.
This allows TOFU by allowing unathenticated repos during first update; and future updates using keys in release files.
It would also allow repositories to rotate keys if users don't specify signed-by in sources files.
@juliank Is it also possible to do yum-style repo config where you pass a list of GPG key files to use too?
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!