What is the safe flow for a client to verify such signatures? If we use the same api service to fetch the public key then we're open to the same level of spoofing as with the api data, attacker can just send us their key instead.