OpenPGP signatures for releases and transparency of custom tarballs
Hi!
When trying to switch from launchpad to GitLab for releases I noticed, that although there is e.g. the 4.0.2 release, OpenPGP signatures are added in a very inconvenient way for downstreams: In a wiki page as ASCII armored inline code blocks. Why are these files all not all added as artifacts to the release?
I also tried to switch to building from git sources (which after the fun we had with xz appears to be a more sensible choice when it comes to mission critical projects in general and those based on autotools in particular).
Unfortunately, for the tags are signed using a different signing key (EDC4830FBD39AB6AC51047FB052F367018D5C3D8 instead of 3ECDCBA5FB34D254961CC53F6689E64E3D3664BB which is used for the custom source tarballs).
@jjohansen: Would it be possible to certify your certificate with the fingerprint EDC4830FBD39AB6AC51047FB052F367018D5C3D8 using the one with the fingerprint 3ECDCBA5FB34D254961CC53F6689E64E3D3664BB to create a chain of trust between the two?
It would help me in switching to (the more transparent) git sources.