Bitcoin Forum

It's been a while since I used gpg, and the resources I used to use to verify that a key was legit (like pgp.mit.edu) seem not to work like they used to. So I'm a bit stumped.

This post announcing the release of Bitcoin Core 0.20.0: https://lists.linuxfoundation.org/pipermail/bitcoin-core-dev/2020-June/000091.html
... shows a sig from key 9DEAE0DC7063249FB05474681E4AED62986CD25D

I have an old key for Wladimir J. van der Laan 01EA5486DE18A882D4C2684590C8019E36C2E964.

Please can anybody tell me how I'm supposed to be sure that 9DEAE0DC7063249FB05474681E4AED62986CD25D is indeed a legit key?

01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964 is the key he uses to sign the binaries. If you go to https://bitcoin.org/en/download, you will find the release signatures signed with that key.

The key 9DEA E0DC 7063 249F B054 7468 1E4A ED62 986C D25D is a subkey of the primary key 71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6. This primary key is displayed on his GitHub here: https://github.com/laanwj

You can find this key, and the associated public key block, at the following:

https://keyserver.ubuntu.com/pks/lookup?search=0x9DEAE0DC7063249FB05474681E4AED62986CD25D&op=index

http://pool.sks-keyservers.net/pks/lookup?search=0x9DEAE0DC7063249FB05474681E4AED62986CD25D&op=index

Technically as I understood it the main key for signing binaries is
01EA 5486 DE18 A882 D4C2 6845 90C8 019E 36C2 E964. So you don't need another key from GitHub to run bitcoind. It's just for informative purpose that he is truly the one behind release notes.