With public GPG key servers being under attack and shut-down (from what I understood), for the signing of files made available on the download servers the public keys need some other place to be made available.
Current approaches seen:
- krita: provides public key on share.kde.org (https://share.kde.org/index.php/s/fJ99V5mZvuyD0z8 cmp. https://krita.org/en/item/krita-4-2-4/)
- kdevelop: provides public key on private server (http://kfunk.org/shared/files/kfunk.asc, cmp. https://www.kdevelop.org/download
- Plasma links both to https://sks-keyservers.net/pks/lookup?op=vindex&search=0xEC94D18F7F05997E as well as https://kde.org/info/plasma-signing-keys.pgp (cmp. https://kde.org/info/plasma-5.16.4.php)
- KDE Applications link to pgp.mit.edu key server (cmp. https://kde.org/info/applications-19.04.3.php)
- KDE Frameworks just mentions the key fingerprint (cmp. https://kde.org/announcements/kde-frameworks-5.60.0.php)
- GCompris: provides public key on share.kde.org (https://share.kde.org/index.php/s/YjKzYs1bgDsOo5V cmp. https://gcompris.net/downloads-en.html)
- (please extent)
Myself not an experienced GPG users (despite having had my first signing party 2 decades ago ;) ). So also no idea how to help with the web of trust here to make the layer of the public key instance itself a more trust-worthy thing. Beyond persistence of same key used for some time.
So looking for a KDE standard how to deal with providing public keys