We trust Github, Cloudflare and many big Tech server hosts with access to the PGP keys that sign critical software.
It is important to have verification backups of those keys on multiple channels.
This is an additional one.
Not sure I follow your logic. If a signing key is compromised, it doesn’t matter if you have a backup of the signing key, payloads that are signed with the compromised key still look genuine because they have the right key.
If you’re worried about third party services abusing signing keys, you should look into reproducible builds instead.
The problem is if public keys are stored on some providers hardware, they could just replace them along with the binaries.
Happily many ecosystems will complain if the signing key changes. I.e. android.
And then we have Appimages XD
If I understand correctly, the idea is to cross-reference with the listed PGP keys to validate they haven’t been changed (implicitly by an adversary)? This essentially sounds like what you’re supposed to do with PGP anyway: keep the key so you can detect replacement of the key. The main difference is for someone who doesn’t already have the key, they can cross reference it with the directory (essentially like a Wayback Machine for PGP keys).
This site’s “articles” are some of the most misinformed, misguided nonsense on the web.
1000%. Hot takes, done quick, with a eye towards sketchy monitization.
