A new UnrealIRCd release signing key has been created. The old signing key is still valid until 2025-06-29, the new one is valid until 2030-11-17. These keys are used for signing the .tar.gz and also for patch files that are used by the hot-patch/cold-patch script (eg for security fixes). If you are interested in all this PGP/GPG talk, feel free to read on, otherwise.. all this is a bit technical and may not be super interesting ;D.
The new key 36E6F65706E36B0937280299101001DAF48BB56D is signed by the old key 1D2D2B03A0B68ED11D68A24BA7A21B0A108FF4A9, as can be seen by a search at keyserver.ubuntu.com.
The new key is added to doc/KEYS in this git commit and thus will be in future version UnrealIRCd 6.1.9. The reason for publishing and adding a new key now, more than 6 months before use, is that the "./unrealircd upgrade" and "./unrealircd hot-patch" scripts verify authenticity of releases by the PGP signature, so if I were to use the new key directly then all existing upgrades with "./unrealircd upgrade" would fail (or at least give a BIG warning) due to the new unknown key. Instead, what I'm doing now, is to have both the old key and the new key is in doc/KEYS for the next 7 months, and only near the end of that period the new key will be used. That way anyone on 6.1.9 or later (which has both the old+new key) can use ./unrealircd upgrade to upgrade to version XYZ (whatever version is released in summer 2025 and later) without any problems.
The key is stored on a brand new YubiKey, a hardware token that is only plugged in when signing a release. The same procedure as I used in the past 10 years. The key is RSA4096, just like the old key. I went for RSA4096 again and not Ed25519 because it provides good compatibility and we don't care about shorter signatures/keys/timing attacks in the context of verifying releases/patches anyway. The new key expires in 2030.