Hi all, For some time now the workflow for independently released KDE software (that is, projects outside of Frameworks, Plasma and Gear) has been to upload it to ftp://upload.kde.org/incoming/ and then file a Sysadmin ticket (with the file hashes and destination)
There has now been a small change to that workflow, where our tooling that validates the hashes will now also be validating GPG signatures where they are provided. For tarballs it is expected that you provide a GPG signature (*.sig), but these won't be required for binary packages. GPG signatures will be validated against a keyring built from the keys located at https://invent.kde.org/sysadmin/release-keyring/ - so you will now need to have your key added there in advance of filing a Sysadmin ticket to have your release published. Please send a merge request to that repository with your key(s) following the format of $gitlabusern...@keyx.asc to have them added. Many thanks, Ben
