Not everyone uploads their PGP keys to keyservers. Also, keyservers don't verify the ownership of the keys uploaded to them. You're supposed to import the signer's public key first.
Yes that's the other choice right? But then if I'm going to a compromised website with no idea that a MITM attack is taking place, I'd download the wrong public key wouldn't I? In that scenario, why is it trusted more than something much simpler like SHA? Is it just because it doesn't need a hash calculation?
So the larger question is, how do I verify ownership of a medium level distributed file? Like not tens of millions of users who host mirrors etc so that everything is cross checkable. But not like a 10 downloads a month software either.
So the larger question is, how do I verify ownership of a medium level distributed file? Like not tens of millions of users who host mirrors etc so that everything is cross checkable. But not like a 10 downloads a month software either.