This is related to #1034, #540 and #1379.

When we are better positioned to provide binaries and .deb packages, we need a key to sign them with.

My recommendation is that Zcash's master software signing key be created and stored on an air-gapped computer. We should determine which developers are responsible for making signatures and holding a copy of the key. Possibly we could even apply Shamir's secret sharing so that signing is a ceremony requiring the participation of multiple people possessing parts of the private key.

It would be acceptable to load the key onto a smartcard in order to facilitate signing from internet-connected build machines.

The public key should be published prominently somewhere on our website. We can also provide a keyring package for Debian in order to ease updates if the key ever needs to be rotated or revoked. The expiry should be set to something like 1 year, and we can periodically update the expiry as we are assured of the key's security.