Keepassxc: Please have all devs sign release key

Each of the core developers (phoerious, thez3ro, and myself) signed the release key. I am not sure if they used the same gpg key they use for github but the release key was definitely signed by all of us.

Each of the core maintainers (phoerious, thez3ro, and myself) signed the release key. We are the only ones with authorization to post releases to the keepassxc repository and merge authority to master. I am not sure if they used the same gpg key they use for github but the release key was definitely signed by all of us.

The KeepassXC release signing key is published on the https://keepassxc.org website and on github keepassxc_master_signing_key.asc

Core developer are listed here: https://github.com/orgs/keepassxreboot/teams/core-developers/members (see the label Maintainer)

Note: You can get user gpg keys with https://api.github.com/users/thez3ro/gpg_keys

"web-flow commit signing" 4AEE18F83AFDEB23 (Who controls this BTW? I see both @yan12125 and @TheZ3ro, using it?)

Based on my observations, this key is controlled by GitHub, Inc. Commits are signed with this key whenever it's created on GitHub. For example, hitting the merge button on pull requests or editing files with GitHub's online editor.

4AEE 18F8 3AFD EB23 is none of ours. Our release key is CFB4 C216 6397 D0D2 and our team email key is 105D 8D57 BB97 46BD.

I cross-signed our release key with our team email and my personal key (which I use for signing commits and tags). Please refresh the public key from the key server.

@frostasm is not a KeePassXC maintainer.

Thanks for the fast response!
I see the signature from @phoerious added, thanks!

"web-flow commit signing" 4AEE18F83AFDEB23...

Yeah, just experimented and saw the same thing. Strange new "feature" of GitHub it seems.

Each of the core maintainers (phoerious, thez3ro, and myself) signed the release key.

@droidmonkey Which key here is yours? https://sks-keyservers.net/pks/lookup?op=vindex&search=0xCFB4C2166397D0D2 -- maybe one of the missing ones? I looked for keys matching your name (found about 20 keys, but none matched these sigs), etc.

I also didn't see a sig from @TheZ3ro 1DD7C073 or david, etc.

Would be great to get cross signatures from others, but you are correct that core devs are the most important.

Thanks!

The only three maintainers who can sign releases are @droidmonkey @TheZ3ro and myself. I added my signature with my personal key, perhaps the other two can do the same. Other people cannot certify the key's trust beyond "I downloaded it from keepassxc.org and the TLS certificate said the connection was secure" (which may be enough to certify an organization's key, but ymmw).

Interesting, looks like the key i signed was not pushed to the server. It is now signed by me.

This is all looking much better, thanks!
FYI: @droidmonkey has signed keys of other devs, release and team key.
Would be great if @phoerious and @TheZ3ro could also verify + sign his key and each other's keys to close the loop.