I used to maintain the OpenPGP.js library (used in ProtonMail) and I don’t use PGP. And Phil Zimmerman doesn’t use PGP because he prefers Apple Mail on his iPhone.

I always ask myself: what’s the point of asking users to download a PGP public key to verify a binary they download from the same website. Users aren’t getting more integrity assurances over what SSL already offers them, since most have no idea how to use WoT.

It’s different with nostr... every user has a WoT that they can manage (with decent enough UX) and it already gives them value outside of verifying binaries. So I’d love to see an easy-to-use “nostr-verify” unix program that you pass your npub that *just works*. Anyone that wants to attest a given binary can upload their signatures to their relays. Then the “nostr-verify” program just pulls these sigs from my relays to verify the binary. Does this exist? nostr:note1qqq9ytr5f5ffrdq3j2478d0n7m4ydwwqc0wyur6jun9rn9qetckqvyyz8d