V Fri, Sep 16, 2022 at 05:30:13PM +0000, Tommy Nguyen napsal(a):
With that being said, if a GPG key would be compromised, wouldn't
it
result in an error when trying to update the package? An end user would
then report the bug, someone would see that the key does not match the
signature in the gpg-distribution package, signalling that it's
compromised.
Compromised GPG key means something else. It means that you have a valid
signature for a package made with a genuine Fedora packager's key. But not
made by the Fedora packager. You won't recognize a compromised key by checking
the signatures.
You probably wanted to write a compromised dist-git account. In that case the
GPG signature would help.
-- Petr