On behalf of Nitrokey users, I request for Nitrokey developers to sign major software/firmware releases. Signing releases with PGP keys seems better than unsigned binaries and source code. However, recently I became aware of security vulnerabilities in PGP or implementations of PGP such as Gnu Privacy Guard (gpg). Please refer to the 2019 article by Latacora (The PGP Problem) and the recent 2025 presentation on media.ccc.de (39C3 To sign or not to sign: Practical vulnerabilities in GPG). Alternative options for signing software include, SSH and Signify. I would like to petition the Nitrokey developers to sign binaries and source code with one of those options or propose another signing method.
The Nitrokey python packages are on PyPI. Related to PEP 740: the PyPI details for a release wheel file show uploaded from Github (Trusted Publisher) and attestations including Sigstore entry. The attestations verify the package source, but as far as I can check, Nitrokey releases are not signed on PyPI or Github. I understand that Github commits are signed by the developers.
In the Github repo for pynitrokey, there is a maintainers file with the developers and their PGP public key IDs. The PGP public keys (.asc files) are located in the keys directory. One dev key is expired (in Github repo), but there is an updated version on the Ubuntu PGP keyserver. Another dev key is valid in the Github repo, but I did not find that key listed on common PGP keyservers.