3.6.2 builds are unsigned

$ gpg --verify --status-fd 1 apache-maven-3.6.2-bin.zip.asc apache-maven-3.6.2-bin.zip                                                                                                                                                                                          [GNUPG:] NEWSIG
gpg: Signature made Tue Aug 27 17:10:11 2019 CEDT
gpg:                using RSA key BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] ERRSIG DC08637CA615D22C 1 10 00 1566918611 9 BBE7232D7991050B54C8EA0ADC08637CA615D22C
[GNUPG:] NO_PUBKEY DC08637CA615D22C
gpg: Can't check signature: No public key

$ gpg --verify --status-fd 1 apache-maven-3.6.1-bin.zip.asc apache-maven-3.6.1-bin.zip                                                                                                                                                                                          [GNUPG:] NEWSIG
gpg: Signature made Thu Apr  4 21:02:59 2019 CEDT
gpg:                using RSA key AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] SIG_ID SPyIoMJ54Xs7p43r2ZmK3Z9ktFY 2019-04-04 1554404579
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] GOODSIG BF1518E0160788A2 Karl Heinz Marbaise (ASF Key) <khmarbaise@apache.org>
gpg: Good signature from "Karl Heinz Marbaise (ASF Key) <khmarbaise@apache.org>" [unknown]
[GNUPG:] VALIDSIG AE9E53FC28FF2AB1012273D0BF1518E0160788A2 2019-04-04 1554404579 0 4 0 1 10 00 AE9E53FC28FF2AB1012273D0BF1518E0160788A2
[GNUPG:] KEY_CONSIDERED AE9E53FC28FF2AB1012273D0BF1518E0160788A2 0
[GNUPG:] TRUST_UNDEFINED 0 pgp
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AE9E 53FC 28FF 2AB1 0122  73D0 BF15 18E0 1607 88A2