The main page of the https://cri-o.io/ website recommends the following:

curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -

however the uses of apt-key gives system wide trust to the kubic keyring, which means packages contained in the kubic repo and signed by the kubic release key could override core system packages

the current recommendation for Debian based systems is to limit the scope of trust of a keyring to its associated package repository, as documented in https://wiki.debian.org/DebianRepository/UseThirdParty#Sources.list_entry

The install.md file has the correct way of adding the kubic keyring, however it is not reflected in the cri-o web site.