At the moment, the built-in Red Hat signature integration contains Red Hat's Release Key 3, which is hardcoded.

When that key is rotated, the integration will become outdated and the built-in policy will report false positives for software signed by the rotated key.

To avoid this, the key should be dynamically loaded during runtime.

Considerations: when the key is rotated and the new key is loaded, the policy will trigger violations on all software signed by the old key: without any changes, a hypothetical cluster with 0 violations for this policy will suddenly show many. Should this be handled, and if so, how?