Hi Laszlo,
you can find the keys on the public key servern. I've attached the fingerprints, but gpg can also show you when trying to verify it.
Why are there two signatures in the GPG signature file (for release 4.6) and why do the signature dates differ from the release date (according to the website)?
More signatures are better ;). Choose your own trust anchor. I've signed it after it was released.
Best, lynxis
Alexander Couzens lynxis@fe80.eu Key fingerprint = 390D CF78 8BF9 AA50 4F8F F1E2 C29E 9DA6 A0DF 8604
Martin Roth (coreboot developer) martin@coreboot.org Key fingerprint = 574C E6F6 855C FDEB 7D36 8E9D 1979 6C2B 3E4F 7DF7