Can you help me with gpg? I want to get in the habit of verifying the gpg signatures of the SHA hashes of the binaries.

For example, with SHA256SUMS and SHA256SUMS.asc , 'gpg --verify SHA256SUMS.asc' is - understandably - not fully willing to verify as there isn't a single pubkey that I trust at the moment.

Apparently, I need to run 'gpg --import' on 'https://bitcoin.org/laanwj-releases.asc'. Does that make sense?

Of course, that implies that I trust the contents of laanwj-releases.asc 😀. Given that I trust your npub, is there anything you and I can do to 'bootstrap' my gpg setup? Maybe you could give me the pubkeys of some people in the signers, and then I could tell my gpg to trust those signatures? Or you could tell me the sha256 of the laanwj-releases.asc file, assuming you trust your copy of it?