Sign binaries and release tags with (better) GPG key
Please note by far the quickest way to get a new feature is to file a Merge Request.
Description of the new feature
I was a bit disappointed when I found out that you don't sign anything, as Gajim advertises on the front page "Chat securely with End-to-End encryption via OMEMO or PGP.". I think it is critical for software that may be used by high profile individuals (like whistleblowers) to take security serious. However, you guys only use a 1024 bit RSA key for signing Debian packages and don't sign release tags or binaries which is disappointing. I suggest that you should get a new GPG key (preferably 4096 bit RSA), always sign release tags and binaries and suggest users to verify downloads.