GPG signing key expired - blocking releases #7012
Description
Description
The GPG key used for signing release artifacts has expired, preventing successful releases.
Evidence
The signing subkey A20B5C7E expired on 2025-11-07:
$ gpg --show-keys .ci/gpg/pubring.auto
pub rsa4096 2020-10-30 [C] [expired: 2025-11-07]
3B2F1481D146238080B346BB052996E2A20B5C7E
uid Operator SDK (release) <[email protected]>
sub rsa4096 2020-10-30 [S] [expired: 2025-11-07]Impact
Attempting to run a release with goreleaser now fails with:
error=sign: gpg failed: exit status 2: gpg: skipped "A20B5C7E": Unusable secret key
gpg: signing failed: Unusable secret key
This blocks:
- Creating new releases
- Signing checksums for binary distributions
- Maintaining the release signing chain of trust