Public key for verifying release signatures
The public key for verifying release signatures is not easily available. It should either be placed in the repository or at least documented somewhere.
I had to dig through mailing list to find out that there is a key hosted on pgp.mit.edu.
https://cmake.org/pipermail/cmake/2016-May/063376.html
That server is incredibly unstable which makes importing the key very difficult.