Yubico · emlun · Nov 28, 2025 · Nov 28, 2025 · Nov 28, 2025
diff --git a/.github/workflows/release-verify-signatures.yml b/.github/workflows/release-verify-signatures.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
     - name: Fetch keys
-      run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+      run: gpg --no-default-keyring --keyring ./yubico.keyring --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E 9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1
 
     - name: Download signatures from Maven Central
       timeout-minutes: 60

diff --git a/doc/development.md b/doc/development.md
@@ -69,3 +69,8 @@ Publishing a release
 ---
 
 See the [release checklist](./releasing.md).
+
+The first time you publish a release, request to have your PGP key added to the trusted keyring in the [`release-verify-signatures` workflow][workflow-release-src].
+
+
+[workflow-release-src]: https://github.com/Yubico/java-webauthn-server/blob/main/.github/workflows/release-verify-signatures.yml