Most of them do, however in multiple groups I have been part of we maintained a git repo containing all trusted public keys ready to batch import.
To make maintianing trust on this easy, all commits to this folder are made with commits signed by the owner of the respective key, and then a merge commit signed by a maintainer that verified it.
This makes it really easy for automation to have a source of trouth to check/validate commit signatures in other repos.
To make maintianing trust on this easy, all commits to this folder are made with commits signed by the owner of the respective key, and then a merge commit signed by a maintainer that verified it.
This makes it really easy for automation to have a source of trouth to check/validate commit signatures in other repos.