Info about verifying PGP fingerprint via Github is misleading

Continuing the discussion from New Signing Key?:

The wiki says:

Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is E222AA02 and fingerprint is B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02, which you can verify through commits on GitHub.[1]

However, a user cannot check the PGP public key ID of alejandrogarcia83’s keys by looking at the key ID of a signed commit by alejandrogracia83 because “GitHub will sign the “merge commit”” and so the key ID is different."[2]

I.e. the PGP key ID of a signed commit by alejandrogracia83: B5690EEEBB952194, which does not match alejandrogracia83’s key ID.

Shall the wiki be updated?

Bisq installer files are currently built and signed by Alejandro Garcia (alejandrogarcia83). His public key ID is E222AA02 and fingerprint is B493 3191 06CC 3D1F 252E 19CB F806 F422 E222 AA02.

Another user found this confusing: New Signing Key? - #12 by Till

The next question might be: how to offer another source of verification? But that might be another thread.

[1] Downloading and installing - Bisq Wiki
[2] https://bisq.community/t/new-signing-key/11853/11:

Copying the reply I got from Bisq 2 repo maintainer:

That’s normal. It’s GitHub’s PGP key. Look at the Bisq 2 repo commits (Commits · bisq-network/bisq2 · GitHub). When I merge PRs using the “GitHub UI” GitHub will sign the “merge commit”.

For really thorough people I think the radical approach in this case is to clone the repository and build it, and pulling it periodically and build it again to make sure you are bleeding edge. That’s how I do it anyway