@DrDaveD (and anyone else with the same concern) - signed tags are now available (Releases · hashicorp/vault · GitHub). We have rotated the PGP key used to sign the tags, so you may wish to grab a new key to verify. The new public key is available at Security at HashiCorp, as well as Keybase and other PGP key servers.