Responded to @kasparsd:
3. For the first install of any plugin or theme, users would need to explicitly specify the trusted key for the vendor. Each download page would prominently display the public key for users to specify.
4. Key rotation could be automated via custom HTTP headers with signed payloads. A single valid public key would ensure that revoked or invalid keys stop working immediately.