The GPG signature used to sign the packages (such as DSA key ID 4AE55E93) needs to be listed in full in some obvious location (such as in the obtaining/download instructions and in a README in the directory where the releases are held, etc.)