Thanks for the reminder - please refer to the linked issue for the anticipated course of action.

@dvzrv I have just released v4.0.4 which should be signed with the known key. CC @Harmon758

In May we should be able to move package signing to CI while maintaining a chain of trust.

@Byron thanks for being on top of this! :)

I have one follow up question: Why is the package now again pushed to gitdb and not as before gitdb2?

Please don't mind the above, I used the wrong signing key.

The way I understand it, gitdb2 is just for use by older GitPython releases, where is gitdb is the package we use from here on. The reason for gitdb2 to come into existence in the first place was me losing access to my pypi account when they disabled support for Google as login mechanism.

It's a great reminder though, as probably I should also re-release gitdb2 with the correct signing key for it to be picked up one last time.

Release 4.0.5 was created and signed with 2CF6E0B51AAF73F09B1C21174D1DA68C88710E60.
Please feel free to close this issue when verified to be correct.