Why are there two certificates at the endpoint to retrieve the JWK encoded keys if only one key is needed to verify the signature of a JWT?
These are the instructions where I found the endpoint: https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
It is up to the auth server to decide how many keys they use. As you see there are two keys defined, each with a unique key ID (kid). Each key may have a dedicated purpose based on several criteria, such as scope, client type, key rotation, etc.
The JWT returned contains an attribute kid that specifies which key it was signed with. If you are verifying JWT signature, you have to use a key identified by the kid from JWT.