I noticed that the 18.06.2 and 18.06.4 build SHA256sums are now GPG-signed by the "OpenWrt Build System (PGP key for unattended snapshot builds)" key. Before, I believe the 18.06.2 builds were signed with a release key. Why are these release builds being signed with a snapshot build key? Was there a policy change to use this key from now on?
I originally posted this on the /r/openwrt subreddit here, but did not get any replies. If someone could point me in the right direction on this it would be appreciated.
the original 18.06 GPG signing key got destroyed during build master migration, therefore builds since v18.06.2 are signed using the snapshot builds key. New keys are issued and listed at https://openwrt.org/docs/guide-user/security/signatures - beginning with 18.06.5, the PGP key for 18.06 release builds v2 (current) key will be used to sign releases.
Once I find the time, I plan to additionally retroactively sign v18.06.1 - v18.06.4 using the v2 key.