Having investigated different options for this, it seems that the Omaha component updater may be the best fit. We can provide a packaged crx file with an updated public key in the manifest, and have that key read from startup and update a command-line flag to be forwarded to all new renderers.
 
(Routing this through the command line also allows developers to easily test with their own custom origin trial keys)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ee4f4a742db6b3e5c8bb8462f9da270c26be491c

commit ee4f4a742db6b3e5c8bb8462f9da270c26be491c
Author: iclelland <iclelland@chromium.org>
Date: Tue Apr 26 18:59:02 2016

Allow command-line arguments to override EF public key

This adds a command-line flag, --origin-trial-public-key, which can be used by
developers to override the public key used to verify the signed tokens for
origin trials.

BUG= 603588 

Review URL: https://codereview.chromium.org/1737693002

Cr-Commit-Position: refs/heads/master@{#389832}

[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/app/chrome_main_delegate.cc
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/browser/chrome_content_browser_client.cc
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/chrome_tests_unit.gypi
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/chrome_content_client.h
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/chrome_switches.cc
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/chrome_switches.h
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/origin_trials/origin_trial_key_manager.cc
[modify] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/origin_trials/origin_trial_key_manager.h
[add] https://crrev.com/ee4f4a742db6b3e5c8bb8462f9da270c26be491c/chrome/common/origin_trials/origin_trial_key_manager_unittest.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99c766f3508de3e9b3c629aedb2b95a97afa3880

commit 99c766f3508de3e9b3c629aedb2b95a97afa3880
Author: iclelland <iclelland@chromium.org>
Date: Fri Apr 29 13:24:43 2016

Allow the component updater framework to control Origin Trials.

This patch adds support for updating the public key for verifying origin trial token signatures through the component updater. Future patches are planned to add support for disabling individual experimental APIs and for revoking individual trial tokens. This patch lays the groundwork for these, but does not actually provide those extra features.

The component is not required to be present in order for origin trials to work (the default key will be used in that case), but if it is, it should include the public key in its manifest as a base64-encoded string representing 32 bytes, like this:

	"origin-trials": {
		"public-key": "abcdefghjijklmnopqrstuvwxabcdefghjijklmnopq="
	}

BUG= 603588 

Review-Url: https://codereview.chromium.org/1887743003
Cr-Commit-Position: refs/heads/master@{#390636}

[modify] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/chrome/browser/chrome_browser_main.cc
[add] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/chrome/browser/component_updater/origin_trials_component_installer.cc
[add] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/chrome/browser/component_updater/origin_trials_component_installer.h
[modify] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/chrome/chrome_browser.gypi
[modify] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/components/component_updater/component_updater_paths.cc
[modify] https://crrev.com/99c766f3508de3e9b3c629aedb2b95a97afa3880/components/component_updater/component_updater_paths.h

All Support 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/27f4bcb37e897164fe60b13d7026057a1ee75003

commit 27f4bcb37e897164fe60b13d7026057a1ee75003
Author: iclelland <iclelland@chromium.org>
Date: Wed Jun 22 16:41:03 2016

Store Origin Trials public key in browser prefs

It was pointed out during code review of another CL that the component updater
will not read the manifest for an updated Origin Trials public key in time to
set the command line for the renderer process. This CL solves the issue by
having the component updater store the new key in browser local state. The new
key will then not be used on the current browser run, but will take effect the
next time the browser is started.

The new preference is added as "origin_trials.public_key". Other origin trials
policy configuration will be added within the "origin_trials" namespace.

The command-line flag can still be used to temporarily override the preference
for a single browser run.

BUG= 589830 , 603588 

Review-Url: https://codereview.chromium.org/2047683002
Cr-Commit-Position: refs/heads/master@{#401304}

[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/chrome_browser_main.cc
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/chrome_browser_main.h
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/component_updater/origin_trials_component_installer.cc
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/prefs/browser_prefs.cc
[add] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/prefs/origin_trial_prefs.cc
[add] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/browser/prefs/origin_trial_prefs.h
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/chrome_browser.gypi
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/common/pref_names.cc
[modify] https://crrev.com/27f4bcb37e897164fe60b13d7026057a1ee75003/chrome/common/pref_names.h