[hnews_account_1]

Can I ask a question that I've never been able to answer by Googling? Kleopatra is the tool of choice for GUI based GPG / PGP stuff on Windows right? So why is it that literally any software I download, it cannot locate the keys on any online database including MIT and whatever else are the top keystores online.

If those keystores are not being regularly updated by trusted data vendors, how am I supposed to trust Gpg signed stuff? It isn't like SHA where I just need to compare 2 hashes.

I'd shift to command line tools if I knew that the protocol was being widely used effectively.

[AgentME]

Not everyone uploads their PGP keys to keyservers. Also, keyservers don't verify the ownership of the keys uploaded to them. You're supposed to import the signer's public key first.

[hnews_account_1]

Yes that's the other choice right? But then if I'm going to a compromised website with no idea that a MITM attack is taking place, I'd download the wrong public key wouldn't I? In that scenario, why is it trusted more than something much simpler like SHA? Is it just because it doesn't need a hash calculation?

So the larger question is, how do I verify ownership of a medium level distributed file? Like not tens of millions of users who host mirrors etc so that everything is cross checkable. But not like a 10 downloads a month software either.

[aasasd]

A nice example is the number and names of keys for <president@whitehouse.gov>.