Major change of approach and rewrite.

Fetching keys from the various hosts is silly: we must actually already
have them, otherwise SSH will complain.  Instead, assume that someone
has already arranged to collect the keys and put them in the host/
directory.  There's now a script to sign new certificates for them and
stash them in publish/.  There's another script to upload the publish/
directory to a webserver (or whatever).