Thread

Zero-JS Hypermedia Browser

Relays: 5
Replies: 2
Generated: 16:26:23
avatar
SatsAndSports npub1zthq...xm56
I'm trying to bootstrap my gpg setup for verifying the binaries, but I always have some problem. I've never, before today, tried to use gpg for anything and therefore I don't know what keys to trust Do you use gpg? Any tips? I guess I'm looking for an up-to-date key, where I can see some other evidence (e.g. a PGP key on a Nostr/X profile) that the key is genuine image
2025-10-13 08:51:00 from 1 relay(s) ↑ Parent 1 replies ↓
Login to reply

Replies (2)

avatar
Felix f321x@f321x.com npub1z9n5...vycf
Kind of a pgp newbie myself, so basically you can find the pgp keys of the developers signing the binaries on the website or core repository (not sure exactly where), then you can cross verify. Many devs have their key fingerprint in github profiles, slides of talks in yt videos, meeting them in person. We can also exchange our key lists here to cross check if we have the same keys, I guess that increases the probability they are legit and we didn't get served wrong keys by the website. Best is probably to verify keys in person with someone in the web of trust that signed other developers keys so there is a chain of signatures between you and the actual devs. Meetups might be a good place to start this.
2025-10-13 21:51:46 from 1 relay(s) ↑ Parent 1 replies ↓ Reply
avatar
SatsAndSports npub1zthq...xm56
I eventually did that with one of the signers, after I realised I already followed him on Nostr. So I dug around to find his key and I even got him to confirm it via Nostr
2025-10-13 22:07:23 from 1 relay(s) ↑ Parent Reply