How pgp is used to very software binaries: blindly trust and import the gpg public key that we show next to the same place you are downloading the binaries.
nostr + WoT fixes this.