With the likelihood of multiple secret key being compromised, a release has to get X number of signatures before considered verified by clients and thus downloadable.

Whether the signatures are independent or m-of-n multi-sig is something to explore.

In the case of paying for co-verifying I think it will have the wrong incentives if an invalid verification isn’t penalized somehow and the affected users reimbursed?