[Security] Last releases signed with an unkown GPG public key

It seems to me that versions V22.0 and V22.1 are signed with 73EA5D1203CFB000C76F1263C96DB3950DE40EBA. That's not the typical argakiig.asc 895DE0DFF8650B37A20534E380446824F9FD3A5A.

I've check on etc/gpg/ and that GPG pubkey is not there.

Could be a security breach? I guess not, but I would like to know what happened if you signed with another unpublished key or what, before upgrading to any of these versions.

Regards.

Edit: Just in case, I'm referring to the signed messages with the SHA256 hashes posted on GitHub relseases.

1 Like

Thanks for reaching out. This was not a security breach but a case of incorrect key usage on the signing of the packages. We are working to resolve this.

1 Like

Yes the key is mine, unfortunately I sometimes confuse which key I use. I have updated the signed message in the github release with the correct key

1 Like

Thanks! I will upgrade now

1 Like