Document gpg keys used for releases

[matrixbot]

trafficstars

This issue has been migrated from #15994.

---

Description:

Hello! I'd like to be able to, e.g., git verify-tag v1.88.0, but I can't find any keys corresponding public key with that fingerprint posted anywhere. There's also no email for that key. Also, releases seem to be signed by one of at least several people.

Would it be possible to sign with a single key, or at least provide a keyring with all authorized signers?

[meskio]

Yes, please this will be really useful. I have checked and looks like all the tags are signed. Signatures seem to be coming either from @erikjohnston, @anoadragon453 or @reivilibre .

I can fetch from github the keys of erikjohnston and anoadragon453. But reivilibre doesn't have the openpgp key configured in github, that also means github doesn't display the tag as verified.

This is related to #2036.