I think I’ll give GPG, signed commits, and signed release tarballs another chance. 🤔 Let’s see how big of a headache this is going to be …
@movq@www.uninformativ.de I do them all the time, but not sure anyone ever bothers to check the signatures though 🤣
@movq@www.uninformativ.de oh probably because I’ve never published my key on a key server because who the heck knows what a good decent trustworthy GPG key server is anymore? 🤔
@movq@www.uninformativ.de What’s considered accepted convention for publishing my GPG public key to my website? Is there a .well-known
file/directory structure for this? Or some well-known resource name? 🤔 I think keys.pub expects to find for example keyspub.txt
@movq@www.uninformativ.de I think a “web of trust” is important, but I’ve never been to a key signing party? Sounds too hip for me 🤣 But yeah, I dunno. 🤷♂️ Trouble I find is that the utility and wide-spread of GPG is basically bupkis 😂
@fastidious@arrakis.netbros.com Genuinely impressed!
@fastidious@arrakis.netbros.com Some of my friends in college were really excited to actually find other fellow nerds in college willing to engage in a key signing party. They used it to send like 3 or 4 inconsequential emails and then just gave up on it.