Thanks for your feedback. This is a duplicate of #1175.

Right now (AFAICT) this project is hinging completely on Github/HTTPS trust model when retrieving this repo for build and use.

That's not correct. Release tags are GPG signed.

A few notes:

1. When retrieving release artifacts (.zip or .tar.gz), as far as I can tell there aren't any signatures attached to those, so unless the git repo is being pulled down there isn't an easy way to verify.
2. @jonasnick's signing key isn't mentioned anywhere not-Github, so in a sense Github is still a point of failure if e.g. the web UI lies about the GPG ID that Jonas has used for signing.

Thanks for letting me know that the release tags are signed. Maybe it would be worth mentioning how to verify (git tag -v $TAG) in the README; I can file a PR if you'd like.

@jonasnick you also might consider posting your GPG ID somewhere else where your identity is well known, and then mentioning that in the README.

Oh, and @jonasnick your key seems expired.

@jamesob

I can file a PR if you'd like.

This would be great.

@jonasnick's signing key isn't mentioned anywhere not-Github

It is - for example on GPG keyservers. But where would you expect to find it? In particular, where did you find real-or-random's and sipa's keys?

your key seems expired.

Doesn't seem expired to me

❯ GNUPGHOME=$(pwd) gpg --keyserver hkps://keys.openpgp.org --recv-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366"
gpg: WARNING: unsafe permissions on homedir '/home/me/tmp/tmpbla'
gpg: key B1A70E4F8DCD0366: public key "Jonas Nick <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
❯ GNUPGHOME=$(pwd) gpg --list-keys
gpg: WARNING: unsafe permissions on homedir '/home/me/tmp/tmpbla'
/home/me/tmp/tmpbla/pubring.kbx
-------------------------------
pub   rsa4096 2014-10-09 [SC] [expires: 2026-05-07]
      36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
uid           [ unknown] Jonas Nick <[email protected]>
sub   rsa4096 2017-06-26 [S] [expires: 2026-05-07]
sub   rsa4096 2017-06-26 [E] [expires: 2026-05-07]
sub   rsa4096 2017-06-26 [A] [expires: 2026-05-07]

Oh interesting - github thinks it's expired for some reason.

It is - for example on GPG keyservers. But where would you expect to find it? In particular, where did you find real-or-random's and sipa's keys?

Anyone can submit a key with your email address to keyservers, so I'm not sure that counts. I'm not sure where the other guys attest to their GPG IDs, but I like doing so in my Twitter profile. Could be on your website or nostr etc. Presumably anywhere works where people have some rough assurance that the content is controlled by you.

Oh interesting - github thinks it's expired for some reason.

The revision in @jonasnick's GitHub profile has expired. The newest revision of the key (probably the one here, though I haven't verified this) has not expired.

Thanks, I updated the key in my github profile.

Anyone can submit a key with your email address to keyservers,

Not to keys.openpgp.org at least (if they are honest). If you google my key id, you will find it on my website and nixbitcoin.org. I've added it to my twitter bio, although I'm not sure that this will help much unless you already know who I am on twitter and happen to search for my key id there.