Update information about release signatures

The industry is moving away from GPG signatures, and signing
distribution artifacts will complicate the release process and make it
harder to allow other maintainers to make releases for only minor gain
in auditability of releases.

At least for now, we'll remove any guarantees about signatures and trust
GitHub's authentication.

Note: This commit is signed with the same key that signed releases
2.4.1-2.8.2.

1 files changed, 7 insertions, 4 deletions

diff --git a/README.rst b/README.rst
index a983f37..106023b 100644
--- a/README.rst
+++ b/README.rst
@@ -139,16 +139,19 @@ It is maintained by:
 * Yaron de Leeuw <me@jarondl.net> 2014-2016
 * Paul Ganssle <paul@ganssle.io> 2015-
 
-Starting with version 2.4.1, all source and binary distributions will be signed
-by a PGP key that has, at the very least, been signed by the key which made the
-previous release. A table of release signing keys can be found below:
+Starting with version 2.4.1 and running until 2.8.2, all source and binary
+distributions will be signed by a PGP key that has, at the very least, been
+signed by the key which made the previous release. A table of release signing
+keys can be found below:
 
 ===========  ============================
 Releases     Signing key fingerprint
 ===========  ============================
-2.4.1-       `6B49 ACBA DCF6 BD1C A206 67AB CD54 FCE3 D964 BEFB`_ 
+2.4.1-2.8.2  `6B49 ACBA DCF6 BD1C A206 67AB CD54 FCE3 D964 BEFB`_ 
 ===========  ============================
 
+New releases *may* have signed tags, but binary and source distributions
+uploaded to PyPI will no longer have GPG signatures attached.
 
 Contact
 =======