For a given publisher of docker images on Docker Hub (let's say debian), how do I download their root release/image signing key and verify its authenticity from multiple sources out-of-band from each-other?
Though it doesn't appear to be covered in the official docker documentation, this answer explains how to pin a given publisher's root key on a fresh install of a docker host to avoid blind TOFU.
But that answer didn't address how to actually obtain the given publisher's root key and verify its authenticity.
Typically, outside of docker, a publisher will do at least two things to assist their clients in obtaining the authentic copy of their release signing keys the first time:
They get their key signed by many other developers or publishers, creating a web-of-trust
They distribute their release signing public keys and/or primary key fingerprint on multiple, distinct domains (thus increasing the attack required to break all domains and nearly eliminating the possibility for MITM manipulation). For example, keybase.io, twitter.com, github.com, and their project's self-hosted website.
Other than running docker pull on several freshly-installed systems, blindly TOFU'ing, and comparing the resulting root.json files -- how can I download a given docker image publisher's root.json keyfile?
