Comment 14 for bug 125103

How about this solution:

(1) The PPA owner encrypts a file with a secret passphrase encrypted with his/her own private key and Soyuz's official public key.

(2) Soyuz -- having the user's public key -- is then able to decrypt the passphrase and generate a new, user-specific key pair for PPA package signing only, protected by the user-supplied passphrase.

(3) Soyuz mails the public key to the PPA owner, who is now able to verify the packages from the PPA. The owner can distribute the public key to everyone who needs to use the PPA.

(4) The user should NOT have a copy of the secret key.

With this scheme, only Soyuz is able to decrypt the passphrase. Naturally, Soyuz's secret key must not be compromised, as well as the PPA owners'.