I’m trying to verify the signature of the checksum file, but I’m running into issues:
koos@rietgors:~/tmp> gpg --import release-key.txt
gpg: key E5665F9BD5970C47: 1 signature not checked due to a missing key
gpg: key E5665F9BD5970C47: public key "Syncthing Release Management <release@syncthing.net>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
koos@rietgors:~/tmp> gpg --verify sha256sum.txt.asc
gpg: Signature made Wed Oct 16 09:53:19 2024 CEST
gpg: using RSA key 37C84554E7E0A261E4F76E1ED26E6ED000654A3E
gpg: Can't check signature: No public key
Apparently I’m still missing the pubkey. Seems odd, no?