I don't use GPG often, so I probably did something wrong, and failed to get a trusted verification. I do like the idea that a hacker cannot change the signature file if gaining access to the web/file hosts, but how to verify it in secure way?
I did this:
/opt/local/bin/gpg --keyring ./d-keyring.gpg --verify dmd.2.098.1.osx.tar.xz.sig dmd.2.098.1.osx.tar.xz
gpg: Signature made søn 19 des 22:35:47 2021 CET
gpg: using RSA key 3AAF1A18E61F6FAA3B7193E4DB8C5218B9329CF8
gpg: Good signature from "Martin Nowak <code@dawg.eu>" [unknown]
gpg: aka "Martin Nowak <martin.nowak@7learnings.com>" [unknown]
gpg: aka "Martin Nowak <martin@dlang.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: F46A 10D0 AB44 C3D1 5DD6 5797 BCDD 73FF C3EB 6146
Subkey fingerprint: 3AAF 1A18 E61F 6FAA 3B71 93E4 DB8C 5218 B932 9CF8
I also did not find the key listed here: