So, finally got around to dealing with this new Sigil version, as I am now the official (co-)maintainer of the Arch Linux package.
And I see it has PGP signatures for the source code tarballs, as you promised when I requested it.
Quick question though, DiapDealer -- do you publish your key anywhere other than in that signature file? It would be nice if, for example, you could cross-post the fingerprint to the official Sigil blog, and to your release announcement here (making three independently operated sites that would have to be hacked in order to pull off a forgery). An integral part of having the signature so that it can be verified tamper-free, is being able to check that any hypothetical attacker did not just upload their own faked key at the same time as the source code itself.