for both softhsm2 and opendnssec I am unable to find any mention of the release signing key.
In the Debian source package there is an apparent copy of the public key that in its header reports:
#
# OpenDNSSec distribution keys. The keys are published at:
# https://wiki.opendnssec.org/display/OpenDNSSEC/PGP
#
# Distribution key 2017
# Valid from 2017-01-11 and expires 2024-08-01
But I've been unable to find the public key published securely by opendnssec.
I also found the existing key expired once before in November 2022, the Debian package maintainer reported it [0] and although there was no reply to that mailing-list report the expiry date of the key was apparently extended.
$ gpg ./opendnssec-2.1.13/debian/upstream/signing-key.asc
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2017-01-11 [SC] [expires: 2024-08-01]
4D0388CE86BB398B387B663041F623BE4FCB0B94
uid OpenDNSSEC Distribution Key 2017 <distribution-key@opendnssec.org>
In attempting to verify the source package signatures at
https://dist.opendnssec.org/source/
for both softhsm2 and opendnssec I am unable to find any mention of the release signing key.
In the Debian source package there is an apparent copy of the public key that in its header reports:
But I've been unable to find the public key published securely by opendnssec.
I also found the existing key expired once before in November 2022, the Debian package maintainer reported it [0] and although there was no reply to that mailing-list report the expiry date of the key was apparently extended.
[0] https://lists.opendnssec.org/pipermail/opendnssec-user/2022-November/004716.html