Good to know: Base system and packages are treated separately (*NM.tgz sets vs packages), binary upgrades encouraged. You can build from source if you like, of course
Starting with the 5.5 release, base sets, packages and patches are signed. The signing keys can be found on the release page, printed on the official CDs and here:
Base sets: 5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h
Firmware: 5.5 fw signify pubkey: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO
Packages: 5.5 pkg signify pubkey: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5
A new release means a new set of keys. You can fetch it from the mirrors before installing or upgrading.
And if you're upgrading to 5.5, your system won't have them yet. That's fixable.