I need to recollect the details, there’s no official doc except in code comments I think and an internal doc ATM. The issue is mostly that the view on how to identify the key from snapd POV vs PGP will differ unless the key respects the constraints very precisely. The main reason for this situation is while the signing, packet format is fine for us, we didn’t want to trust, especially going forward, the ways PGP identifies keys and matches signature packets back to keys.