Add fjahr attestations for 1776960000

[fjahr]

Adds my attestions for #47. Based on #50 which adds the attestations to this repo.

[fjahr]

Ready for review now with #50 merged

[jurraca]

The signature can't be validated, as it seems the signature here was made with EDDSA key C551C7A95C86B6D942C52ECF145F599ECE70D26C, but builder-keys/fjahr.gpg only shows RSA keys. did you mean to update your GPG key as well?

[fjahr]

Somehow the signing subkey was not part of the builder key. I have updated it. But for me, locally, the verification already worked before. Seems it would be better if the verification script would only use the actual builder keys.

[jurraca]

ACK 06c7a98

Codex suggests a tempdir from gnupg that loads all the builder keys every time. Wish there was a way to do this via a CLI flag.

tmp_gnupg="$(mktemp -d)"
chmod 700 "$tmp_gnupg"
trap 'rm -rf "$tmp_gnupg"' EXIT

GNUPGHOME="$tmp_gnupg" gpg --quiet --batch --import builder-keys/*.gpg
GNUPGHOME="$tmp_gnupg" gpg --quiet --batch --verify SHA256SUMS.asc SHA256SUMS

This would avoid the mismatch between your local and another user's verification. I can PR this separately unless objections on the approach.

[fjahr]

I can PR this separately unless objections on the approach.

Thanks, I don't think I see anything wrong with this in principle. But I also realized that a simple user error like mine can also be caught quicker by a CI job, so I am adding one here: #55 Since we already have very few eyes here it would help to cut down on unnecessary feedback loops as much as possible.