(no title)

What signing keys? Wordpress's automatic updates aren't signed, so your trust is horrendously misplaced.

Someone already did the work for them to implement it[0], and rather than commit it, a Wordpress developer wrote a blogpost saying signing isn't really that important[1].

[0] https://core.trac.wordpress.org/ticket/39309

[1] https://medium.com/@photomatt/wordpress-and-update-signing-5...