move archive keyring out of global trust path

move archive keyring out of global trust path

The [repository instructions][1] have been changed to avoid writing
third-party keyring files to the global trust anchors (in
`/etc/apt/trusted-gpg.d`) and instead write those to a more neutral
location (`/usr/share/keyrings`, alongside other keyring files).

[1]: https://wiki.debian.org/RepositoryInstructions

The downside of this change is that the key fingerprint isn't
validated directly through this process. But considering that
validation of the key is anchored through HTTPS validation in the
first place, we do not *really* lose anything by moving that to the
`.gpg` file transfer: that file's integrity is still checked through
HTTPS. Furthermore, not storing the explicit fingerprint here will
make future key rotations easier as they will not require
documentation updates.

Note that this change will also require a change in the
`grml-debian-keyring` package to install the keyring file in the new
location. If that package does not install a `.sources` or `.list`
file, that move will also break existing configurations, so a NEWS
entry might be in order as well.

This is related to the [proposed website documentation change][2]

[2]: https://github.com/grml/grml.org/pull/21