How to know with which key a repository is signed by (and vice versa)?

I want to use the signed-by option on all the repositories of my /etc/apt/sources.list.d/debian.sources, point to the keys in /usr/share/keyrings instead of /etc/apt/trusted.gpg.d before disabling this directory, as I have understood, this old way of doing is insecure. I don't know if this only apply to third-party repositories but better be safe than sorry. However, when adding the signed-by option, I found myself unable to know which key to link to which repo, seeing that the key's names don't match the repos: > debian-archive-bullseye-automatic.gpg debian-archive-bullseye-security-automatic.gpg debian-archive-bullseye-stable.gpg debian-archive-buster-automatic.gpg debian-archive-buster-security-automatic.gpg debian-archive-buster-stable.gpg debian-archive-keyring.gpg debian-archive-removed-keys.gpg debian-archive-stretch-automatic.gpg debian-archive-stretch-security-automatic.gpg debian-archive-stretch-stable.gpg My /etc/apt/sources.list.d/debian.sources looking like this: > Types: deb URIs: https://deb.debian.org/debian/ Suites: buster Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-stable.gpg > > Types: deb-src URIs: https://deb.debian.org/debian/ Suites: buster Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-stable.gpg > > > Types: deb URIs: https://security.debian.org/debian-security Suites: buster/updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-security-automatic.gpg > > Types: deb-src URIs: https://security.debian.org/debian-security Suites: buster/updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-security-automatic.gpg > > > Types: deb URIs: https://deb.debian.org/debian/ Suites: buster-updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg > > Types: deb-src URIs: https://deb.debian.org/debian/ Suites: buster-updates Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg > > > Types: deb URIs: https://deb.debian.org/debian Suites: buster-backports Components: main Signed-By: /usr/share/keyrings/debian-archive-buster-automatic.gpg This doesn't throw me any error when doing apt update and I can install software but I would like to know a method to know for sure which key I should append to the signed-by option for each repo without having to do guesswork, and be left with doubts. I know of apt-key list but the information are pretty much the same, how does "Debian Security Archive Automatic Signing Key" is supposed to tell us that it signs buster-updates AND buster-backports? Is it normal that one key can sign multiple suites? I would have expected one key per suite. Also, the opposite: how do I know what a key signs? How do I know I don't have useless keys in /usr/share/keyrings or that they are signing malicious repositories?