I have not tested the new release so far and there is one thing irritating me: Why is the new signing key not signed by the old signing key? This way, you could trust the new key and the verified image without having to trust the web server (which, as we all know, has been compromised before). If I have once established trust via PGP I prefer to maintain the trust for PGP keys via Web of Trust, instead of relying on external verification.