The signing key is the important bit though right? This project breaks the chain of trust, as it clones the source repo, [does some shady stuff?] builds a new release, and uploads it to GitHub.
It's unlikely that this project knowingly does shady stuff – I've heard of it before, seems to be a long running legit project – but there are lots of unverified factors in that, and the lack of signing (I think?) on the final binaries also means it's hard to know if they get tampered with at some other step.
It's unlikely that this project knowingly does shady stuff – I've heard of it before, seems to be a long running legit project – but there are lots of unverified factors in that, and the lack of signing (I think?) on the final binaries also means it's hard to know if they get tampered with at some other step.