Have you heard of https://github.com/soupslurpr/AppVerifier ? It's at least an attempt to have a sort of community run trusted attested developer keyring. Obtainium was considering some kind of integration