Hi @DrDaveD,
I’ve also commented on the other post (Source code lagging behind security release announcement - #3 by mladlow), but I wanted to follow up here for good measure.
Signed tags are now available (Releases · hashicorp/vault · GitHub). We have rotated the PGP key used to sign the tags, so you may wish to grab a new key to verify. The new public key is available at Security at HashiCorp, as well as Keybase and other PGP key servers.