That's a wrap! #Calamares #Linux installer version 3.3.14 out today.
Out of curiosity, I checked the GPG signature of this release. It's ok -- I post a sha256 and the signing-key with every release, so that people can verify. And then I checked the previous release and 3.3.12 and .. turns out I had posted the wrong signing key as part of the release announcement.
So those releases *are* signed, and they're good, but the release announcement mentions a different key.
Using only the first four digits of the key fingerprint (because I don't rotate signing keys **that** often):
- 3.3.9 says 4947 on the release page, is signed by 4947
- 3.3.10 says 4947, it is actually 6D98
- 3.3.11 says 4947, is signed by 4947
- 3.3.12 says 4947, it is actually 6D98
- 3.3.13 says 4947, it is actually 6D98
- 3.3.14 says 6D98, is signed by 6D98
Again, there is nothing wrong except the release announcement says a different signing key than actually used.
There are two things we can learn from this:
- I need to be more careful when writing release announcements
- Nobody actually checks GPG signatures of source-code tarballs
And I'll repeat for a third time: each release was signed by a (at the time) valid key of mine. The releases are all ok. Only the posted release announcements sometimes mention the wrong signing key (but still a signing key used by me).