has gpg key changed? unable to verify v2.1.2-pre3/4

[tinfoilhash]

i imported the key linked in the release description:

❯ curl http://keyserver.ubuntu.com/pks/lookup\?op\=get\&search\=0x785a2269ee3a9736ac1a4f4c864b7cf9a811fef7 | gpg --import --
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5592    0  5592    0     0  17263      0 --:--:-- --:--:-- --:--:-- 17259
gpg: key 864B7CF9A811FEF7: 1 signature not checked due to a missing key
gpg: key 864B7CF9A811FEF7: public key "Specter Signer <noreply@specter.solutions>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

❯ gpg --list-keys noreply@specter.solutions
pub   rsa4096 2021-10-17 [SC] [expires: 2026-04-24]
      785A2269EE3A9736AC1A4F4C864B7CF9A811FEF7
uid           [ unknown] Specter Signer <noreply@specter.solutions>

but when i verify v2.1.2-pre3/4 (have not tried earlier versions):

❯ gpg --verify SHA256SUMS.asc
gpg: assuming signed data in 'SHA256SUMS'
gpg: Signature made Sun Feb  1 13:35:26 2026 EST
gpg:                using RSA key ED254C2E368D26D5A1678582E91B28AC99F6671B
gpg: Can't check signature: No public key

it looks like the key has changed?

[al-munazzim]

Triage Assessment

Verdict: VALID-BUG (release signing)

The GPG key used to sign v2.1.2-pre3/pre4 (ED254C2E368D26D5A1678582E91B28AC99F6671B) is different from the historical Specter Signer key (785A2269EE3A9736AC1A4F4C864B7CF9A811FEF7) linked in the release description.

This means either:

1. A new signing key was generated for the GitHub Actions release workflow (PRs Add GitHub Actions release workflow #2524-Add auto-generated release notes and lncm Docker trigger #2527 automated the release process) and the release description wasn't updated to reference the new key
2. The key needs to be published to a keyserver and/or linked in the README

The release workflow generates signatures in CI — the signing key is likely a GitHub Actions secret. The release description template should be updated to reference the correct public key, and ideally the new key should be cross-signed by the old one or by a maintainer's key to establish a trust chain.

cc @k9ert — this is likely related to the automated release workflow we set up. The GPG key in the CI secret doesn't match the one documented in the release template.

[al-munazzim]

Triage Assessment

This looks like a genuine issue with GPG key documentation. The release is being signed with key but the documentation points users to import .

Possible causes:

1. Key rotation without updating documentation
2. Incorrect release signing process
3. Documentation pointing to wrong key

Priority: HIGH (affects release verification security)

Could a maintainer clarify which key is the correct one? If the key was rotated, we should either:

• Update release documentation to point to the new key, OR
• Re-sign releases with the documented key

This affects user trust in release authenticity.