Outdated PGP Signing Key

[tomix1024]

Apparently @maximbaz has changed his PGP key at some point. See for example here: https://archlinux.org/todo/rebuild-packages-signed-by-eb4f9e5a60d32232bb52150c12c87a28feac6b20/

In the browserpass-native repository, the correct PGP key (consistent with maximbaz.com and keybase.io ) is updated in the README.md and the releases are signed with that key.

In this repository, the old RSA signing key seems still to be used.

Exact steps to reproduce the problem

1. Import the signing key key.

$ curl https://maximbaz.com/pgp_keys.asc | gpg --import
pub   ed25519 2021-10-24 [SC]
      56C3E775E72B0C8B1C0C1BD0B5DB77409B11B601
uid           Maxim Baz <[email protected]>
uid           Maxim Baz <[email protected]>
uid           Maxim Baz <[email protected]>
sub   ed25519 2021-10-24 [S]
sub   ed25519 2021-10-24 [A]
sub   cv25519 2021-10-24 [E]
pub   ed25519 2021-10-24 [SC]
      56C3E775E72B0C8B1C0C1BD0B5DB77409B11B601
uid           Maxim Baz <[email protected]>
uid           Maxim Baz <[email protected]>
uid           Maxim Baz <[email protected]>
sub   ed25519 2021-10-24 [S]
sub   ed25519 2021-10-24 [A]
sub   cv25519 2021-10-24 [E]

2. Download release files

$ wget https://github.com/browserpass/browserpass-extension/releases/download/3.7.2/browserpass-webstore-3.7.2.crx
$ wget https://github.com/browserpass/browserpass-extension/releases/download/3.7.2/browserpass-webstore-3.7.2.crx.asc

3. Check the signature of a release file.

$ gpg --verify browserpass-webstore-3.7.2.crx.asc
gpg: assuming signed data in 'browserpass-webstore-3.7.2.crx'
gpg: Signature made Di 19 Jan 2021 00:49:10 CET
gpg:                using RSA key 8053EB88879A68CB4873D32B011FDC52DA839335
gpg: Can't check signature: No public key

What should happen?

The signature should be ok.

What happened instead?

The public key that was used for signing was not found.