Either ensure that specific GPG keys used to sign releases are mentioned in README(.md) or indicate that the key could be a sub-key of a key listed (which itself isn't listed), with a sentence or 2 to minimize the time spent on sub-key aspect, if applicable
- Version: 12.6.1
- Platform: Linux
What steps will reproduce the bug?
gpg --verify SHASUMS256.txt.sig
What is the expected behavior?
Key used should be mentioned on README(.md).
What do you see instead?
gpg --verify SHASUMS256.txt.sig
gpg: assuming signed data in 'SHASUMS256.txt'
gpg: Signature made ...
gpg: using RSA key 0EFFE1BCEFD9C84E3D098152933B01F40B5CA946
I.e., key is not mentioned on README.