2.24: Missing trust path between releases

[dvzrv]

Hi 👋

When trying to upgrade the package on Arch Linux from 2.23 to 2.24, I noticed that the tag for 2.24, created by @jcorporation, is not signed.

All previous releases (tags and custom source tarballs) have been signed with @MaxKellermann 's OpenPGP key with the fingerprint 0392335A78083894A4301C43236E8A58C6DB4512.

On Arch Linux we follow best practices around the verification of upstream sources (see https://rfc.archlinux.page/0046-upstream-package-sources/).
These require for us to check when a trust chain has been broken (which is the case with release v2.24).
In addition we attempt to use transparent sources (i.e. the contents of a locked git tag in this case).

Please establish a chain of trust between the persons creating releases of this project by cross-signing your OpenPGP keys and creating a new, signed tag (e.g. 2.24.1), so that downstreams can use the release.

Thanks!

[jcorporation]

Meanwhile I sign my commits with my ssh key. I have no OpenPGP key.

@MaxKellermann How we should handle this request? Should I not create releases and leave it up to you?

[dvzrv]

Working this out would be great, as we are currently blocked from upgrading.

[dvzrv]

@jcorporation @MaxKellermann ping