We use Dependency Verification and currently there is no documentation stating which keys are safe

Could you please document this?

Here are some examples of other projects documenting what key they use to sign their artifacts.

https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://downloads.apache.org/logging/KEYS