Fetching keys from the various hosts is silly: we must actually already
have them, otherwise SSH will complain. Instead, assume that someone
has already arranged to collect the keys and put them in the host/
directory. There's now a script to sign new certificates for them and
stash them in publish/. There's another script to upload the publish/
directory to a webserver (or whatever).