Yeah, try to argue in front of a court that this somehow covers private signing keys.

I don't think the GPL covers signing keys, just some mechanism for installation. Allowing addition of additional signing keys is a good way to do it, just like UEFI Secure Boot does things. There are also plenty of phone vendors who allow bootloader unlock after wiping the device DRM/etc keys too.