fix: fetch Codecov PGP key from keybase.io/codecovsecops

[thomasrockhu-codecov]

Summary

• Reverts the embedded-PGP-key approach (fix: embed Codecov PGP public key instead of fetching from Keybase #73) and goes back to fetching the public key from Keybase at runtime.
• Switches the Keybase account from the defunct codecovsecurity to codecovsecops, which serves the same Codecov Uploader key (fingerprint 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869).
• Reverts the package.py PGP-block-preservation logic, which is no longer needed.

Verification

• https://keybase.io/codecovsecops/pgp_keys.asc → HTTP 200, valid armored key, fingerprint matches the Codecov Uploader key.
• scripts/validate.sh and dist/codecov.sh both fetch from codecovsecops.
• No codecovsecurity references and no embedded key block remain.
• package.py restored to its original form.

Test plan

• Confirm codecov.sh imports the key and verifies the CLI SHA256SUM signature end-to-end.

Made with Cursor

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.14%. Comparing base (8e7a4af) to head (eeb1c66).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #75   +/-   ##
=======================================
  Coverage   97.14%   97.14%           
=======================================
  Files           2        2           
  Lines          35       35           
=======================================
  Hits           34       34           
  Misses          1        1           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.