Good to know: Base system and packages are treated separately (*NM.tgz sets vs packages), binary upgrades encouraged. You can build from source if you like, of course
Starting with the 5.5 release, base sets, packages and patches are signed. The signing keys can be found on that release's release page, printed on the official CDs and here:
Base sets: 5.6 base signify pubkey: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
Firmware: 5.6 fw signify pubkey: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
Packages: 5.6 pkg signify pubkey: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb
A new release means a new set of keys. You can fetch it from the mirrors before installing or upgrading.
And if you're upgrading to 5.6, your 5.5 system will have the keys, but others won't. That's fixable.
Also, keys for the next release are included in this one.