meta: Release tags show as "Unverified"

[camelid]

See for example the tag for 1.46.0:

Is there any way to remedy that? Likewise, the Git CLI shows:

$ git tag -v 1.46.0
object 04488afe34512aa4c33566eb16d8c912a3ae04f9
type commit
tag 1.46.0
tagger Pietro Albini <pietro@pietroalbini.org> 1598541310 +0200

1.46.0 release
gpg: Signature made Thu Aug 27 08:15:27 2020 PDT
gpg:                using RSA key C13466B7E169A085188632165CB4A9347B3B09DC
gpg: Can't check signature: No public key

---

@rustbot modify labels: A-meta T-release C-bug

[Mark-Simulacrum]

I don't think so, because the release key is not associated with any particular GitHub user. I suppose @pietroalbini and I could upload it to our accounts, but that seems like a bad idea (it's not our key after all).

Realistically GitHub not having the public key doesn't really matter, the signing is targeted more towards local checking for very dedicated people.

[camelid]

Hmm, I wonder what other large projects do.

[camelid]

It looks like with Python the person releasing signs it with their personal key. Same with Node. Though I like Rust's model of signing it with the project's key. Is the release key the same as the key listed on the security policy page?

[Mark-Simulacrum]

No, it's a different key. I don't know that we publish it ourselves anywhere, but it is on the OpenPGP key server, for example: https://keys.openpgp.org/search?q=108F66205EAEB0AAA8DD5E1C85AB96E6FA1BE5FE

We should probably publish the fingerprint somewhere at least.

[camelid]

Yeah, maybe on the website at the bottom of the page? I wonder why there isn't a way to associate a PGP key with an organization on GitHub...

[pietroalbini]

I don't think so, because the release key is not associated with any particular GitHub user.

We could associate it to @rust-lang-owner, even though we'll also need to add rust-key@ as one of its verified email addresses.

[pietroalbini]

The key is available at https://static.rust-lang.org/rust-key.gpg.ascii btw.