We are currently signing the same packages 2 times and upload each set in two different places at different times.
At pre-release we sign packages and upload them on Github only, then when the version is marked as stable we re-sign and upload them on both Github and S3 (used by the site and the package channels), though actually these “new” signed packages do not overwrite the Github ones, so they end up with a different signature.
09/01/2022, 4:14 PM
@Stefano Bonicatti would you mind responding on twitter or telling me if you’re OK with me taking a screenshot of your response and posting it? (with or without attribution). I wouldn’t want more people to see this without a response and think maybe the website and some keys are compromised 🙂