AGWA
commented
2 years ago Unfortunately, my PGP sub-keys have expired and renewing them will be non-trivial (the master key is not readily accessible). I didn't want to delay a release any further while I sorted that out.
In the meantime, if you're concerned about verifying the integrity of this release, I recommend examining the (short) diff between the 0.6.0 and 0.7.0 tarballs to make sure there is nothing malicious in it.
The previous release had a source tarball on your website with a matching GPG signature for the sources. The 0.7.0 release is available in the same location but there does not appear to be a matching signature file this time around.
As the downstream Arch Linux packager, it would be nice to verify a new build using the same GPG signature. If you don't plan to sign future releases at least a statement to that effect signed with the known previous GPG key would be appreciated.
Is that possible?