We trust Github, Cloudflare and many big Tech server hosts with access to the PGP keys that sign critical software.
It is important to have verification backups of those keys on multiple channels.
This is an additional one.
We trust Github, Cloudflare and many big Tech server hosts with access to the PGP keys that sign critical software.
It is important to have verification backups of those keys on multiple channels.
This is an additional one.
The problem is if public keys are stored on some providers hardware, they could just replace them along with the binaries.
Happily many ecosystems will complain if the signing key changes. I.e. android.
And then we have Appimages XD