Trust path for release 5.6 is missing

[dvzrv]

Hi! 👋

We package this project for Arch Linux, but unfortunately are having issues with the 5.6 release as the trust path for it is missing.
Some form of workflow has been established with #1125, however that one did not seem to include mentioning specific OpenPGP fingerprints (although it should) or cross-signing each other's keys.

The OpenPGP certificate with fingerprint 6F72A30EEA41B9B548570AD20D0DB2B265493E29 by @ajaykish for the latest releases has been missing entirely: #3352
Although now available on keyservers, the new OpenPGP certificate is not mentioned in https://github.com/tpm2-software/tpm2-tools/blob/2db1d6b4fbcd1aaee9a8a86d482ae3e9995bfceb/docs/RELEASE.md at all.

It would be great if one of the previous release persons (e.g. @williamcroberts or @idesai) could introduce it in a signed commit.
Ideally, please start referencing the OpenPGP fingerprints of the specific certificates in question, as that is much easier than an elaborate scheme to get to specific certificates on branch/tag somewhere.
Please upload all certificates and any cross-signatures you make to relevant OpenPGP keyservers: https://wiki.archlinux.org/title/OpenPGP#Keyserver

[idesai]

@dvzrv thanks for reporting the issue. I will add the fingerprints for all in the RELEASE.md

@ajaykish I don't see your gpg key tagged on our repo. Let me know what you call it and I can update the commit for fixing this issue.

[dvzrv]

@idesai thanks for looking into this.

Unfortunately, the change in #3361 was done without a signed commit and does therefore not solve this cryptographic trust path issue.

[..] could introduce it in a signed commit.

Would it be possible for you or @williamcroberts to certify @ajaykish's certificate (aka. "sign their key") and upload that to the relevant keysevers? Note that https://keys.openpgp.org strips third-party certifications, https://keyserver.ubuntu.com does not, and neither do the syncing keyservers such as https://pgpkeys.eu/

[idesai]

@dvzrv I signed the key. It should be available at https://keys.openpgp.org/vks/v1/by-fingerprint/6F72A30EEA41B9B548570AD20D0DB2B265493E29

[dvzrv]

@dvzrv I signed the key. It should be available at https://keys.openpgp.org/vks/v1/by-fingerprint/6F72A30EEA41B9B548570AD20D0DB2B265493E29

The third-party certification will unfortunately not be available on that keyserver (but would be on one of the other two):

Note that https://keys.openpgp.org/ strips third-party certifications,

[idesai]

@dvzrv I signed the key. It should be available at https://keys.openpgp.org/vks/v1/by-fingerprint/6F72A30EEA41B9B548570AD20D0DB2B265493E29

The third-party certification will unfortunately not be available on that keyserver (but would be on one of the other two):

Note that https://keys.openpgp.org/ strips third-party certifications,

Oops - it should now be up on keyserver.ubuntu.com

[dvzrv]

Awesome, thanks! 🎉