[bubblethink]

>installing an OS from a unknown person on the internet

Eventually, what is needed is something like reproducible builds so that you can claim that this binary corresponds to this source tarball. I don't know where AOSP stands in that regard. The keys should be the only thing that users should ideally manage. i.e., You get the generic binary (that is known to correspond to source tarball), sign it with your keys, and flash it. Just throwing ideas. This may not be in the scope of your project.

[danvittegleo]

I like this idea and could definitely get behind something like this. The signing process is done after builds complete, so it might be possible. Although on Pixel and Pixel XL it is likely not possible as the kernel must be built with the signing key to support the earlier version of Android Verified Boot (AVB 1.0).