From: jcfp@debian.org 
  
 Package: src:python-argon2 
 Severity: normal 
 Control: found -1 25.1.0-1 
  
 Upstream appears to have stopped using their GPG key to sign git tags 
 after the release of 23.1.0, but the package still tries to use that 
 key to verify new upstream releases. This must have already affected 
 the recently uploaded 25.1.0, which couldn't possibly have been 
 successfully verified by uscan against the old GPG key. 
  
 Upstream git tags are now signed with some SSH key, and upstream 
 advertises "artifact attestions" using "GitHub's CLI tool" as a method 
 to verify released files. I'm not sure if either the SSH key or the 
 github stuff is somehow supported by uscan; either way, verification 
 using the GPG key in d/upstream/... no longer works and should be 
 replaced or removed. 
  
 -----BEGIN PGP SIGNATURE----- 
  
 iQIzBAEBCgAdFiEEd8lhnEnWos3N8v+qQoMEoXSNzHoFAmigV90ACgkQQoMEoXSN 
 zHoJhRAAkXRCSOw7hh5O6n2rh6YB5TdCBAu5fikxXKroOlCyspIn/Vgt48/vQQ06 
 zCT2mHMiQKXZOuFnLiAocyHiQ2Cgzhfa/gqZps1oUiIkicpOLugjHDcjJP0wJHfy 
 6r8DyNzGAAhn9klA/Ww4K8pJ78xrlmnnICfUhnzsXuWgm8SEYnw1B6OhmEYAfhgc 
 XAvcLKTvurD3FUoA07GySSBniDlPqbbjhENjTmyPCNQUyHwrvr4pQ0HxIBdNw0gu 
 7NRyQ/fUumz/dQcql9QLCmtRidONmpqbGcSv2cmrQp//c2mhOc7lDpKOJTyEyTIT 
 UY3NPXHOpzxmqAwF8nr+eW+Y5YY7ZAorIw2A8yzAZAv07JvzARQpqSom1q10HwU+ 
 /kI0Yn7Ca8fAE0t92fBoLgXObXZtuRbh5MXzHLrOKMrftFXxFVXL+4HbktQGTaiM 
 bQJNSLn4Pf2Enk7Z9LtT/nGALTAYlm6Dw9C+ibydbBblqLTLncDzdfWhvK8x442h 
 j24guJv4/EY42O9mzcUxZU3YAivbPfPE8Iz8JUiuEqbLcHe7ctoNei39/o/G0kUW 
 npAhwgAtxKe4pTfVCEVUDaUCyPDN4tcIXVw7B49u+LYVTXhpoDpSGxavExYxayug 
 4U54UXtnEkokWiq9Oo4ymWnaphIJLxtpd1Ned0bqc3ckvOOvA88= 
 =T1I0 
 -----END PGP SIGNATURE----- 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)