please publish GPG keyring used to sign new releases
I'd like to add source file verification for Fedora's mesa package (see "Source File Verification" from Fedora's Packaging Policy for background).
However I was unable to find an authoritative source about the GPG keys used to sign a release tarball. For example the latest release announcement did not mention the GPG key. The only thing I could dig up is the Release Calendar which names the release manager for planned releases.
Ideally there would be a HTTPs accessible GPG keyring which contains the key(s) used to sign the release tarballs. Also it would be nice if the release announcement could mention the full GPG.
I'm sorry if I missed something and I hope you could help me there as this would be another (small) step in hardening Fedora against compromised tarballs.