Remote Code Execution (RCE) is a type of vulnerability. Intentionally running code from a developer you trust is not a vulnerability.

An auto-update mechanism only becomes an RCE if it allows unauthorized third parties to execute code on your machine by failing to verify that the code comes from a legitimate source.

> you just need the key

Secrecy of cryptographic keys is the basis of all cryptography we use. There's no "just", you need the key and you don't have it.