

You can find multiple instances when they are revoked keys and people on stack exchange are figuring out how to update them to use the toolkit after the change.
yeah, signing keys expire from time to time and then they need to be replaced or updated. but these are not per-user, these are public and cannot be kept in secret. this is not a subscription code, not a DRM either, it’s one of those very few exceptions when they are provided for actual security. the packages you download are already signed with the key, if you don’t accept the key your package manager just wont be able to verify if they have been tampered with while in transit. if you don’t accept the key, you can still install the packages, but then you also need to pass the parameter to your package manager that tells it to not verify the packagesthis time, which is 99.999% of the cases a bad idea.
oh forgot the second part.
first of all.
.pub
files are not microsoft owned keyfiles, but Microsoft Office Publisher documents. this is irrelevant now, but this is the only connection of microsoft with.pub
filessecond of all,
.pub
files can also be OpenPGP public key files. do you use SSH? look into your~/.ssh/
directory and you will see them there too. also in/etc/ssh/