readme: add list of all keyring maintainers that could issue releases

This declares a list of all legitimate keys.

README.md

@@ -121,17 +121,42 @@ how to provide fixes or improvements for the code base.
 
 [Releases of
 archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
-are created by its current maintainer [Christian
-Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key
-with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.
+are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
 
-To verify a tag, first import the relevant PGP key:
+The tags are signed with one of the following legitimate keys:
+
+```
+Christian Hesse <eworm@archlinux.org>
+02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
+
+David Runge <dvzrv@archlinux.org>
+C7E7 8494 66FE 2358 3435  8837 7258 734B 41C3 1549
+
+Pierre Schmitz <pierre@archlinux.org>
+4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
+
+Florian Pritz <bluewind@archlinux.org>
+CFA6 AF15 E5C7 4149 FC1D  8C08 6D16 55C1 4CE1 C13E
+
+Giancarlo Razzolini <grazzolini@archlinux.org>
+ECCA C84C 1BA0 8A6C C8E6  3FBB F22F B1D7 8A77 AEAB
+
+Levente Polyak <anthraxx@archlinux.org>
+E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8
+
+Morten Linderud <foxboron@archlinux.org>
+C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16
+```
+
+To verify a tag, first import the relevant PGP keys:
 
 ```bash
-gpg --auto-key-locate wkd --search-keys eworm@archlinux.org
+gpg --auto-key-locate wkd --search-keys <email-from-above>
 ```
 
-Afterwards a tag can be verified from a clone of this repository:
+Afterwards a tag can be verified from a clone of this repository. Please note
+that one **must** check the used key of the signature against the legitimate
+keys listed above:
 
 ```bash
 git verify-tag <tag>

[Levente Polyak]

Just for future paper trail: This commit has been signed using the established (old) signing key that has been used for all previous releases of the keyring:

git verify-tag 20220424
gpg: Signature made Sun 24 Apr 2022 09:49:15 PM CEST
gpg:                using EDDSA key A63A5DDFAF2A36373B7C0A924E8FCA25FDAC4855
gpg: Good signature from "Christian Hesse <Christi@n-Hes.se>" [unknown]
gpg:                 aka "Christian Hesse <mail@eworm.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BD84 DE71 F493 DF68 14B0  1672 54ED C916 09BC 9183
     Subkey fingerprint: A63A 5DDF AF2A 3637 3B7C  0A92 4E8F CA25 FDAC 4855

git verify-commit c1e08e6a61e48afa9eaa4a3c08f2d61c75d6f1e8
gpg: Signature made Sun 24 Apr 2022 10:21:40 PM CEST
gpg:                using EDDSA key A63A5DDFAF2A36373B7C0A924E8FCA25FDAC4855
gpg: Good signature from "Christian Hesse <Christi@n-Hes.se>" [unknown]
gpg:                 aka "Christian Hesse <mail@eworm.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BD84 DE71 F493 DF68 14B0  1672 54ED C916 09BC 9183
     Subkey fingerprint: A63A 5DDF AF2A 3637 3B7C  0A92 4E8F CA25 FDAC 4855

this legitimates the future keys as listed in the readme, which include eworms new key:

Christian Hesse <eworm@archlinux.org>
Primary key fingerprint: 02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
     Subkey fingerprint: 0429 897D E5F3 BDAC 537A  3069 6D42 BDD1 16E0 068F