BUG #16948: Packages not signed - Mailing list pgsql-bugs

The following bug has been logged on the website:

Bug reference:      16948
Logged by:          Karsten Lenz
Email address:      karsten.lenz@dbi-services.com
PostgreSQL version: 13.2
Operating system:   SLES 15SP2
Description:

Now I've got an example with packages either signed by key with ID
1f16d2e1442df0f8 (postgres) or not signed at all. It looks like packages are
not signed anymore for the latest versions/releases.

From the Postgresql13 packages for SLES15 on
https://download.postgresql.org/pub/repos/zypp/13/suse/sles-15.2-x86_64/ ,
not all packages are singed:

SLES15_HOST:/var/cache/zypp/packages/artifactory:psqlsc-sles15-pgdg-13 # rpm
-qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig}
(b)%{SIGGPG:pgpsig}\n' *.rpm
pg_qualstats_13-2.0.2-2.sles15 (a)(none) (b)DSA/SHA1, Thu Nov 12 02:29:06
2020, Key ID 1f16d2e1442df0f8
pg_stat_kcache_13-2.2.0-1.sles15 (a)(none) (b)(none)
postgresql13-13.2-1PGDG.sles15 (a)(none) (b)(none)
postgresql13-contrib-13.2-1PGDG.sles15 (a)(none) (b)(none)
postgresql13-libs-13.2-1PGDG.sles15 (a)(none) (b)(none)
postgresql13-server-13.2-1PGDG.sles15 (a)(none) (b)(none)
repmgr_13-5.2.1-2.sles15 (a)(none) (b)(none)

Whereas for Postgres11, SLES12, all packages were signed (
https://download.postgresql.org/pub/repos/zypp/11/suse/sles-12.5-x86_64/
):

SLES12_HOST:~ # rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}
(a)%{SIGPGP:pgpsig} (b)%{SIGGPG:pgpsig}\n' | egrep "pg_|postg|repm"
pg_qualstats11-1.0.6-1.sles12 (a)(none) (b)DSA/SHA1, Fri Nov  9 00:23:20
2018, Key ID 1f16d2e1442df0f8
postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13
16:02:50 2020, Key ID 1f16d2e1442df0f8
repmgr11-5.0.0-1.sles12 (a)(none) (b)DSA/SHA1, Tue Dec 10 11:19:44 2019, Key
ID 1f16d2e1442df0f8
postgresql11-contrib-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13
16:02:50 2020, Key ID 1f16d2e1442df0f8
postgresql11-libs-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13
16:02:50 2020, Key ID 1f16d2e1442df0f8
pg_stat_kcache11-2.1.1-1.sles12.1 (a)(none) (b)DSA/SHA1, Thu Oct 18 14:47:26
2018, Key ID 1f16d2e1442df0f8
postgresql11-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13 16:02:50
2020, Key ID 1f16d2e1442df0f8

From the Postgresql11 repo for SLES12 SP5 and Postgresql13 for SLES15 SP2
I've got downloaded that last few version of postgresql1x-server rpm. Older
packages are signed, but not the latest ones:

rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig}
(b)%{SIGGPG:pgpsig}\n' post*.rpm | sort
warning: postgresql11-server-11.10-1PGDG.sles12.x86_64.rpm: Header V4
DSA/SHA1 Signature, key ID 442df0f8: NOKEY
postgresql11-server-11.10-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 12 Nov
2020 01:37:45 AM CET, Key ID 1f16d2e1442df0f8
postgresql11-server-11.11-1PGDG.sles12 (a)(none) (b)(none)
postgresql11-server-11.8-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Fri 15 May 2020
12:50:23 PM CEST, Key ID 1f16d2e1442df0f8
postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 13 Aug 2020
04:02:50 PM CEST, Key ID 1f16d2e1442df0f8
postgresql13-server-13.0-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Wed 23 Sep 2020
08:41:46 PM CEST, Key ID 1f16d2e1442df0f8
postgresql13-server-13.1-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Thu 12 Nov 2020
01:18:36 AM CET, Key ID 1f16d2e1442df0f8

Are packages not signed anymore by intention?