Your PGP key is basically who you are on the internet.
Not really.. It's just a cryptographic key. They expire, get lost, get stolen... so it's not "your identity".
For large public-facing repos it's unwise to rely on every individual contributor's security, so you don't build a process around that because if the process fails with one contributor leaking their keys, you're screwed. Instead you:
Have pgp sigs on merge commits and tags
Validate these
Always be vigilant
If you have an active community, issues will be spotted. If you don't, you have to do the work yourself.
Not really.. It's just a cryptographic key. They expire, get lost, get stolen... so it's not "your identity".
For large public-facing repos it's unwise to rely on every individual contributor's security, so you don't build a process around that because if the process fails with one contributor leaking their keys, you're screwed. Instead you:
If you have an active community, issues will be spotted. If you don't, you have to do the work yourself.