figure out method for upstreams to define the signers they deem "official"

There is often the question: how to determine what the "upstream signer" is? I currently know of no way to determine that automatically. I think the only way that makes sense is to have upstreams declare which signers they consider official.

In fdroiddata, there is a root of trust for the apps shipped on f-droid.org. In fdroiddata metadata, the source code repo and commit ID is declared. From that, it is then possible to reliably get files from the upstream. If upstream puts a file in their source repo, then there is a cryptographically verifiable method to fetch the data from that upstream. So I was thinking there could be a standard file name/path with a standard data format. That would be included in upstream's source repo, then other things can read it to figure out which are the official upstream signers.

@IzzySoft do you have some method for this? Anyone know if Obtainium or Accrescent do? Google does it by linking the signer to upstream's Google account.

Off the top of my head, I was thinking there could be a path like .official-signers.p12 which would be a PKCS12 keystore that contains the public certificates for all the official signers.