please sign Tor releases with an OpenPGP tool that includes Issuer Fingerprint subpackets
The OpenPGP signatures on distributed tor software currently have only an unhashed "issuer" subpacket, which contains only the 64-bit keyid of the public key used to create the signature.
Modern versions of GnuPG (version 2.1.16 or later) produce an "issuer fingerprint" subpacket in each signature by default, which includes the full fingerprint of the issuing public key.
The "issuer fingerprint" subpacket provides a much stronger linkage between the signature and the OpenPGP key used to make it.
This is not a core security concern -- that is, lack of an "issuer fingerprint" subpacket doesn't make it possible to forge signatures or do anything comparably serious -- but the story we tell about verifying signatures is cleaner if the full fingerprint is present in each signature.
If it is possible to upgrade the version of GnuPG (or any other modern OpenPGP implementation) that signs Tor releases to one that generates these subpackets, that would be a good thing.