Note, the first release of josepy was signed with a different key than
the rest of the certbot releases.  I asked upstream to produce a
signature validating the release using the standard release key and
independently verified it.

aztlan 福 ~/Debian/certbot/josepy
6371 ◯ : gpg --keyring josepy/debian/upstream/signing-key.asc --verify josepy-1.0.1.tar.gz.asc                                ⏎
gpg: assuming signed data in 'josepy-1.0.1.tar.gz'
gpg: Signature made Fri 26 Jan 2018 09:51:42 PM EST
gpg:                using RSA key A2CFB51FA275A7286234E7B24D17C995CD9775F2
gpg: Good signature from "Let's Encrypt Client Team <letsencrypt-client@eff.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: A2CF B51F A275 A728 6234  E7B2 4D17 C995 CD97 75F2