Update for new GPG keys

[jrfnl]

Description

Update for new GPG keys

The GPG key expires every year - as per the recommendation, so a new key has been generated and uploaded to the openpgp database.

Release checklist: improve information about regenerating the GPG key

Ran into some issues while trying to do this earlier today. Documenting my findings to prevent the same issues when having to do it again next year.
I've also asked a question about key rotation in the PHIVE repo to get clarification on some things: phar-io/phar.io#147. This may result in a new PHIVE documentation page about this being available by next year 🤞🏻

It is also the reason why I have not explicitly released the 3.13.1 tag yet as the README does not contain information about the updated GPG key yet.

By rights the new key should probably also be mentioned in the changelog, but tags should be immutable, so I'm going to leave that for now. Hopefully this change in the release checklist will prevent this snafu for next year.

Suggested changelog entry

The GPG signature for the PHAR files has been rotated. The new fingerprint is: D91D86963AF3A29B6520462297B02DD8E5071466.
(but too late for the 3.13.1 release)

[jrfnl]

I'll be merging this without waiting for Coveralls to report as there's an outage: https://status.coveralls.io/incidents/swvwc97k5s75

I'm also acutely aware of the "Verify release" builds failing - I revoked the old keys and I think this may have broken things. Mea Culpa. The information about GPG is kind of confusing.
It still works (when passing both keys) for PHIVE though, which is the most important one and I kind of expect things to work again for the other check builds once the release is done and the new PHAR files, signed with the new key, are available in all the release locations. 🤞🏻

[jrfnl]

Verify release workflow shows things are working again: https://github.com/PHPCSStandards/PHP_CodeSniffer/actions/runs/15624946366 - the PHIVE failures are due to known issue: phar-io/phive#154 (unrelated to the GPG key)