The repo is here: https://github.com/mozilla-releng/cot-gpg-keys
Each PR will require at least the final commit to be signed by a valid key. Signing each commit with a valid key is even better, but not currently required.
To add new committers, we'll have to allow for it in github, plus add the committer's gpg long keyid here https://github.com/mozilla-releng/cot-gpg-keys/blob/master/check_commit_signatures.py#L13 and the full pubkey here http://hg.mozilla.org/build/puppet/file/tip/modules/signing_scriptworker/files/git_pubkeys .
We need these gpg pubkeys for the decision, docker-image, and build docker worker AMIs.
We also need a process or convention to remove old, unused pubkeys once the AMIs are no longer used.
First PR for docker-worker is here: https://github.com/mozilla-releng/cot-gpg-keys/pull/3
This was merged. Feel free to either leave this bug open to track the process implementation, or resolve, since we have the first set of AMI pubkeys landed; whichever you prefer.
Currently guessing we want to close this out.
Please reopen if that's not the case.