move to new signing keys

[totaam]

Instead of signing the packages with my personal key, create a new one (stronger too) for the project and ensure that other trusted developers can take it over if needed. (and store it on a hardware token to keep it safe)

The difficult part is going to be the transition, as packages can only be signed by a single key.
New packages could just add the new signing key to the system (ie: rpm --import) and eventually (6 months?) we can switch over to the new key without causing too many problems?

[totaam]

(doing this ticket only after #2967)

Links:

• YubiKey-Guide
• gpg2: How to get rid of “Please insert card with serial number”, getting the same key from a different card / Yubikey (need with Fedora 33 and multiple yubikeys with the same keys on them)
• How to manage multiple GitHub accounts on a single machine with SSH keys
• What is the Git equivalent for revision number?

[totaam]

The new key is here:
http://xpra.org/xpra.asc
And is already used with github through a yubikey.

Will follow up with package signing in #1830

[totaam]

Newer ticket for GPG keys: #3863