Hi,
These appear in only one place, on the coreboot.org Downloads page, and are signed with the key:
D861AB74FB933260193399696B249D77269C04E1
The only problem is there is apparently no mention of the signing key anywhere else on the coreboot website. I usually look for some explicit, official reference (preferably in multiple contexts) to a person or org's key ID before downloading it from a keyserver. Taking the key ID from an object signature doesn't satisfy that requirement.
For whatever it's worth: that's my key (for my non-corporate email addresses) and I'm the legit (and to my knowledge) only holder of its private key.
I guess I could add it to the site but then again that's the same server as the one you're download the archive and signature from, so if somebody manages to tamper with the archive they could also put their own key there. I'll make sure to get a few signatures onto the key so it's hooked up with the web of trust, but that won't happen very soon.
Patrick
Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado