It's not clear (to me at least) that placing keys into /etc/apt/trusted.gpg.d is deprecated
According to https://wiki.debian.org/DebianRepository/UseThirdParty it is:
> The key MUST NOT be placed in /etc/apt/trusted.gpg.d or loaded by apt-key add.
There's nothing especially wrong about using signed-by, but it's not the security fix some people seem to believe. In short, *any* package you install can run arbitrary commands as the root user on your system during installation.
Obviously, and the page linked above even says as much:
> However, the installation of any single malicious package from a malicious repository can currently undo these protections, for example by running a MaintainerScripts command to override the configured preferences or by authorizing new OpenPGP keys. For the purposes of this page, attacks by a package that belongs to a given repository are out of scope. To restrict what an installed package can do, see the larger UntrustedDebs problem, and particularly Teams/Dpkg/Spec/DeclarativePackaging for a potential solution.
In fact, the automatic [signed-by=] migration that I implemented
uses exactly this avenue, albeit in an explicitly non-malicious
way that prompts the user first.
Kyle