Merge #11909: contrib: Replace developer keys with list of pgp fingerprints

fabb72b contrib: Remove xpired 522739F6 key (MarcoFalke)
faeab66 contrib: Replace developer keys with list of pgp fingerprints (MarcoFalke)

Pull request description:

  Having to host a copy of the keys in this repo was a common source of discussion and distraction, caused by problems such as:

  * Outdated keys. Unclear whether and when to replace by fresh copies.
  * Unclear when to add a key of a new developer or Gitian builder.

  The problems are solved by
  * Having no keys but only the fingerprints
  * Adding a rule of thumb, when to add a new key

  <strike>Moving the keys to a different repo solves none of these issues, but since the keys are not bound to releases or git branches of Bitcoin Core, they should live somewhere else.

  Obviously, all keys are hosted and distributed on key servers, but were added to the repo solely for convenience and redundancy.

  Moving the mirror of those keys to a different repo makes it less distracting to update them -- let's say -- prior to every major release.

  I updated our `doc/release-process.md` to reflect the new location.

  DEPENDS_ON bitcoin-core/gitian.sigs#621
  </strike>

Tree-SHA512: c00795a07603190e26dc4526f6ce11e492fb048dc7ef54b38f859b77dcde25f58ec4449f5cf3f85a5e9c2dd2743bde53f7ff03c8eccf0d75d51784a6b164e47d

Author: laanwj

contrib/gitian-keys/README.md

@@ -1,16 +1,26 @@
-PGP keys
-========
+## PGP keys of Gitian builders and Developers
 
-This folder contains the public keys of developers and active contributors.
+The keys.txt contains the public keys of Gitian builders and active developers.
 
 The keys are mainly used to sign git commits or the build results of Gitian
 builds.
 
-You can import the keys into gpg as follows. Also, make sure to fetch the
-latest version from the key server to see if any key was revoked in the
-meantime.
+The most recent version of each pgp key can be found on most pgp key servers.
+
+Fetch the latest version from the key server to see if any key was revoked in
+the meantime.
+To fetch the latest version of all pgp keys in your gpg homedir,
 
 ```sh
-gpg --import ./*.pgp
 gpg --refresh-keys
 ```
+
+To fetch keys of Gitian builders and active developers, feed the list of
+fingerprints of the primary keys into gpg:
+
+```sh
+while read fingerprint keyholder_name; do gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys ${fingerprint}; done < ./keys.txt
+```
+
+Add your key to the list if you provided Gitian signatures for two major or
+minor releases of Bitcoin Core.