I think I can do it. Right now I'm already signing all my commits, so basically it takes no extra effort to sign the releases (as co-maintainer) using the same key.
Since I don't use PGP's web of trust, the authentication scheme for my key will be TOFU (trust on 1st use). What it means is that during the 1st verification, users will download my key from the internet, (blindly) trust it to be authentic and use it to verify the release. On subsequent verifications, users will use the key downloaded previously to verify new releases. This way we only need to take the risk during the 1st verification. If nothing goes wrong, subsequent verifications will be secure.
I think I can do it. Right now I'm already signing all my commits, so basically it takes no extra effort to sign the releases (as co-maintainer) using the same key.
Since I don't use PGP's web of trust, the authentication scheme for my key will be TOFU (trust on 1st use). What it means is that during the 1st verification, users will download my key from the internet, (blindly) trust it to be authentic and use it to verify the release. On subsequent verifications, users will use the key downloaded previously to verify new releases. This way we only need to take the risk during the 1st verification. If nothing goes wrong, subsequent verifications will be secure.