pull down to refresh

Best way is to spread your key fingerprint around imo.
If you only use one site as the source of trust, it's a single point of failure. Even if it's Github.
I have to do that myself, still figuring things out around PGP keys
agree, and some of them are quite hard to search, e.g. Mullvad VPN, I couldn't find it in other places besides their site, madness.
reply
I don't see a key fingerprint there 👀
reply
MullvadVPN-2023.6.pkg.asc
👀
why the devs are making things to tricky, is it really meant for people to verify! or just trust.
I have to do that myself, still figuring things out around PGP keys
same, I'm verifying all the software that I use, good things is I don't use many.
reply
0 sats \ 1 reply \ @ek OP 25 Feb
That's a signature, not a key fingerprint 👀
do I have to revoke this message using a new signed message 👀👀👀
reply
then I couldn't find it other than their site - how is that possible, given how many people are using their tools. 😂
Once you’ve observed enough matching fingerprints from enough independent sources in enough different ways that you feel confident that you have the genuine fingerprint, keep it in a safe place.
reply