Why "of course"? Keep your signing key off the repo, but you can very much keep them open source too.