Signing keys need updating on website

[udf2457]

I downloaded yubihsm2-sdk-2023-01-darwin-amd64.pkg and the associated sig file from the website

However its signed by A8CE167914EEE232B9237B5410CAC4962E03C7CC which is nowhere to be seen on the keys page

[nevun]

It is signed by a subkey of one of the keys on that keys page.

You need to gpg --recv-keys them all and then do verify, like this (I suspected it was aveen's key):

$ gpg --recv-keys 1d7308b0055f5aef36944a8f27a9c24d9588ea0f
$ gpg --verify yubihsm2-sdk-2023-01-darwin-amd64.pkg.sig
gpg: assuming signed data in 'yubihsm2-sdk-2023-01-darwin-amd64.pkg'
gpg: Signature made Tue 24 Jan 2023 07:25:45 PM CET
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Good signature from "Aveen Ismail <aveen.ismail@yubico.com>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 1D73 08B0 055F 5AEF 3694  4A8F 27A9 C24D 9588 EA0F
     Subkey fingerprint: A8CE 1679 14EE E232 B923  7B54 10CA C496 2E03 C7CC

It does say that on that keys page but might be easy to miss.

Verifying signatures with GnuPG

The list above lists primary key fingerprints, but GnuPG may print a subkey fingerprint 
if you attempt to verify a signature made with an unknown key. You can use 
gpg --recv-keys to download the necessary key.`

[udf2457]

I see, thanks @nevun .

The trouble with --recv-key is implies trust ? Might be better to publish an aggregated file of all keys that could be downloaded and imported in one go ?