What is the recommended or standard way to publish my public key? Is there a standard place to host a public key?
The best way to distribute a public key is via a (PGP) keyserver. Here are a two well known ones: Ubuntu, MIT. You can also publish it to multiple servers to make it easier for your clients to find it.
Note that this only takes care of the distribution. You will still need to deal with how users will trust this key. Most likely, you will need to publish the fingerprint of the PGP key on your website. At which point it might be preferable to publish your public key directly.
Should it rely on a CA?
This is not a requirement. Although you can get a certificate and distribute it to the parties, who will be called with your webhook, this will still require your users to implement custom validation logic as this is not a standard. This will take care of the trust issue, assuming the CA is trusted by your users.
Ultimately, I'm trying to find the most "standard" way of signing webhooks with asymmetric keys.
I am not aware of any standard. I think the closest that gets to this is the following flow.
- Someone registers to your services and sets up a webhook
- You give them a public key somehow (keyserver, direct publishing) which they can use to validate calls coming from you
- When you trigger the webhook, you sign it with the corresponding private key
- The receiving ends verify your webhook with the pre-shared public key
Without a standard, you can't work around the fact that your clients will need to implement custom logic. You could give them a library which does the key lookup and the validation.