we could: * ignore gpg signature checks on <tier3 trees. This isn’t secure unless we also refuse all restricted scopes on <tier3 trees. If we do that, we should have something in the decision task logic to automatically drop nightly/release scopes down to depend scopes on non-tier3 trees. * add a 2nd set of gpg keys, and another gpg homedir, to differentiate tier3 gpg keys from non-tier3 gpg keys. possible, but takes additional cot verify logic, and maintaining 2x keys. garndt would love a more automated key->cot-gpg-keys process.

It looks like we're going to spin up dep signing scriptworkers, which will not check CoT. If we want to support beetmover, balrog, etc., we'll need to do something similar.