Package: src:python-argon2 Severity: normal Control: found -1 25.1.0-1 Upstream appears to have stopped using their GPG key to sign git tags after the release of 23.1.0, but the package still tries to use that key to verify new upstream releases. This must have already affected the recently uploaded 25.1.0, which couldn't possibly have been successfully verified by uscan against the old GPG key.
Upstream git tags are now signed with some SSH key, and upstream advertises "artifact attestions" using "GitHub's CLI tool" as a method to verify released files. I'm not sure if either the SSH key or the github stuff is somehow supported by uscan; either way, verification using the GPG key in d/upstream/... no longer works and should be replaced or removed.
pgpE7LjrHRQ0o.pgp
Description: OpenPGP digital signature
