Hi, I'm the maintainer of Arch Linux package python-structlog. I noticed that tags <= 24.1.0 are signed by the GPG key C2A04F86ACE28ADCF817DBB7AE2536227F69F181, and git tag is signed the SSH key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBE7gQJRZIiYSXl8l72aDthoQ1AQIW/3fmmzLZ+XRODW. Could you confirm the key transition? Signing the SSH key with the GPG key may be a way.

You can essentially confirm by checking all my projects over the past months and see that all my commits are signed with it now. If someone managed to take over my account for such a long time, there’d be a lot more things to worry about.

I can do no GPG shenaningans because I’m thousands of kilometers away from my computer until end of June.

On the bright side, structlog now ships GitHub attestations: https://github.com/hynek/structlog/actions/runs/9260460988

You can essentially confirm by checking all my projects over the past months and see that all my commits are signed with it now. If someone managed to take over my account for such a long time, there’d be a lot more things to worry about.

Thank you for the tip. Yes I can confirm recent usage of your SSH keys.

I can do no GPG shenaningans because I’m thousands of kilometers away from my computer until end of June.

No problem, I'm fine with verifying future versions with SSH signatures.

On the bright side, structlog now ships GitHub attestations: https://github.com/hynek/structlog/actions/runs/9260460988

Awesome!