Add keys used to sign in-development version packages

[marmarek]

Packages built directly from the main branch. Not release quality. Those keys are not signed by QMSK.

QubesOS/qubes-issues#10478

[marmarek]

@HW42 those are not release-quality packages, used mostly for developers/testers. While the builds are trusted (as in - made in a trusted environment), they are not security-supported. For this reason, the keys are not signed with the master key (but also, we don't sign template packages keys normally either).
Do you think it's a good idea to include those keys in qubes-secpack at all? Should they be more separated maybe (separate dir)? Or have some other name/description?

[andrewdavidwong]

Quoting from https://doc.qubes-os.org/en/latest/project-security/security-pack.html#pgp-key-policies:

Key signing (certification). Only some keys in the qubes-secpack are signed by the QMSK. Keys that are not signed directly by the QMSK are still signed indirectly by virtue of being included in the qubes-secpack, which is itself signed (via Git tags and/or commits) by keys that are in turn signed by the QMSK.

On the one hand, we've documented that there are already keys in the secpack that aren't signed by the QMSK, so of course it's fine to add more. On the other hand, the absence of a QMSK signature does not, by itself, clearly communicate anything specific about the trust level of a key in the secpack, since everything in the secpack is indirectly signed by the QMSK. If the intentional absence of a QMSK signature is intended to communicate some particular message regarding the trust level of a specific key, then that message should be made explicit.

[marmarek]

The support status statement should ofc be also documented wherever we document how to use those testing packages.