The public key is publicly available so the signature can be verified. But when you rotate keys, what do you do? Post a list of formerly valid public keys? Are all public keys derived from one master/root key? And then you don't rotate the master? So then the rule is rotate "almost all" your keys. But then that rule goes out the window of master/root key is compromised.

That's pretty much how it works, at least in GPG world. You generally never rotate the top-level certifying key, and you use that only for certifying.

All that said, "that's how GPG does it" is usually a strong argument against a proposal.

There needs to be a time-dependent set of trust anchors, such as the European Trusted Lists standard. It’s not completely trivial, but the general architecture exists.