Please have your gpg signing key cross-signed

[jonathancross]

The gpg key used to sign release appears to be this:

pub   rsa4096/0x509249B068D215AE 2022-06-02 [SC]
      Key fingerprint = DD09 E413 0975 0EBF AE0D  EF63 5092 49B0 68D2 15AE
uid                   [ unknown] ShiftCrypto Security <[email protected]>

Users are asked to simply trust a couple websites that this is correct, but as the saying goes: Don't Trust, Verify.

Unfortunately there is no way for users to verify this is the correct key without meeting Shift devs in person. I've gone to great lengths to do exactly that in 2020 with devs, but none of the devs have signed this key from 2022.

The OpenPGP Web Of Trust can help here... please have an established dev like @benma cross-sign this key with their own personal key.

Next time I'm in Switzerland I'll do the same and publish the cross-signatures for others to use. This will create a cryptographic trust path (linked signatures) with thousands of others who are part of the OpenPGP Web Of Trust.

Thanks for helping us all to maintain high security standards.