I was just upgrading and wondered: what if Github comprimise the keys in the guix repo? How do I check the keys? Also, why don't core developers cross signs their keys?
Discussion
Hence "You should download multiple developers' public keys from at least two independent sources each and ensure they match. Ideally, you should verify key fingerprints in person with the developer(s) to the best of your ability."😉
Catch me at a Bitcoin conference sometime - I carry around business cards with my PGP key fingerprint.
In the past, Core devs have had key signing meetings, but I had to make a new key after the last one
it would be a pleasure to meet you in person: hope it will happen soon!