🐛 Bug Report: Latest releases not signed with GPG keys

[lmartinez-mirror]

Describe the bug

The latest releases aren't signed by any GPG key when they previously were.

Steps to reproduce the bug

1. On the libreddit releases page, click on the latest release (0.24.2 at the time of writing this).
2. Neither the release tag or commit have a GPG signature.

What's the expected behavior?

The latest release should be GPG signed to verify authenticity.

Additional context / screenshot

I package libreddit for the Arch User Repository (AUR). Arch packaging guidelines state that any package whose upstream signs releases for must verify those signatures, and cannot skip verification when the maintainers don't sign.

See here:

https://wiki.archlinux.org/title/Arch_package_guidelines#Package_sources

Do not diminish the security or validity of a package (e.g. by removing a checksum check or by removing PGP signature verification), because an upstream release is broken or suddenly lacks a certain feature (e.g. PGP signature missing for a new release)

Thank you for your time!

[Daniel-Valentine]

Thank you for raising this. Since I'm the one who cut the latest releases I bear responsibility. @spikecodes, who signs all commits, has in the past cut releases, which is why we haven't run into this until now. Future releases will be PGP-signed with a key I'll publicize.