The latest release 0.4.46 was tagged and signed by a new party, @sosthene-nitrokey, that hasn't signed releases before. For Arch Linux packaging we're verifying the signatures on releases and do not have this key listed as a valid signer yet.
Would it be possible to get some attestation from either of the previous signers, @robin-nitrokey or @szszszsz, that this is expected? This could be a GPG signed comment in here using the keys they previously used to sign releases or a GPG signature on the new key uploaded to key servers or something like that...
The latest release 0.4.46 was tagged and signed by a new party, @sosthene-nitrokey, that hasn't signed releases before. For Arch Linux packaging we're verifying the signatures on releases and do not have this key listed as a valid signer yet.
Would it be possible to get some attestation from either of the previous signers, @robin-nitrokey or @szszszsz, that this is expected? This could be a GPG signed comment in here using the keys they previously used to sign releases or a GPG signature on the new key uploaded to key servers or something like that...
cc @dvzrv.