Would be nice to add "extra" verification via Signal too, or Google Authenticator. Although GPG's public key, if already known, provides a good source for that.