> In the past people have posted photos of signify keys from CDs, > they're on various list posts, release notes, etc. Doing a web > search for the key that you have should find a number of results. > > Once you have *one* verified signify key, as long as you're not > skipping updates, there is a closed loop. release n's keys are > included in release n-1.
Cool, reminds me of the key comparison to freebsd in the libsodium docs :-) Considering dilemmas on chicken and egg in my own mind in the past; It is worth noting that many GPG/PGP key servers refuse delivery over TLS because of "False sense of security", i.e. reducing PGP security down to the TLS level. Better than nothing if u can't out of band acquire keys vs encouraging bad behaviour is the argument. -- KISSIS - Keep It Simple So It's Securable
