It seems to me that versions V22.0 and V22.1 are signed with 73EA5D1203CFB000C76F1263C96DB3950DE40EBA. That's not the typical
I've check on
etc/gpg/ and that GPG pubkey is not there.
Could be a security breach? I guess not, but I would like to know what happened if you signed with another unpublished key or what, before upgrading to any of these versions.
Edit: Just in case, I'm referring to the signed messages with the
SHA256 hashes posted on GitHub relseases.