Hi,
geany-2.0.tar.bz2.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
geany-2.0.tar.gz.sig Good signature from "Colomban Wendling ban@ban.netlib.re" [expired]
The key itself is *not* expired only the export available on the website. It was just updated and should work now also with the exported key available from the website. Alternatively, you could use gpg --recv-keys ACA0246889FB96B63382111724CCD8550E5D1CAE to update the key from the keyserver.
geany-2.0_setup.exe.sig Good signature from "Enrico Tröger enrico.troeger@uvena.de" [unknown]
The key used to create the signature is 51A0918FEF3439066BEB87F4579347E6C71A77FA and it is available at https://download.geany.org/eht16-pubkey.txt.
and for geany-plugins-2.0.*.sig
gpg: Signature made Oct 19, 2023 xx:xx:xx MDT gpg: using EDDSA key 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888 gpg: requesting key EC3A8C6CF6546888 from hkp://pgp.surf.nl gpg: Can't check signature: No public key
Will be fixed tomorrow. The key used can be imported from the keyserver using: gpg --recv-keys 23C0ACC6C2A22D6EB8A98563EC3A8C6CF6546888
There are also no signatures for the .zip and .tar.gz files containing the source code for both geany and geany-plugins.
Those files are auto generated by Github, there is no point in signing them except Github would do.
With previous releases, I have also used the MD5SUM, and SHA*SUM files for additional verification.
The hashes have been added in the meantime.
Regards, Enrico