This makes it easier to work with encrypted keys and multiple keys.
The firmware binary can contain multiple public keys that are used
to verify the manifest.
The use case is that we want to include the production public key
in the debug build, so we can seamlessly update to the production
version without re-flashing the device.
If the public keys is always generated on the fly, this would still
require the production key password even for the debug build.
Instead if we store the (unencrypted) public key, we can always
include it in the debug build.
Placing the SUIT key in the RIOT repository folder is dangerous as
a repo checkout is by most people considered a volatile location.
Since all important files are stored in git, deleting the entire folder
or it's contents is not an uncommon cleanup operation.
If the user is at that point unaware that SUIT key material is stored
in that folder, that key will then be lost.
Another workflow may involve multiple checkouts of the RIOT repository
to multiple folders to work on several features at the same time, or for
easy cross-referencing or splitting of off features from an integration
into a feature branch.
In that case each checkout would use it's own incompatible SUIT key.
To avoid all these pitfalls, place the SUIT keys outside the RIOT
repository in the $XDG_DATA_HOME directory.
