[caddy]

I feel like that defeats the purpose of the validation. If you're storing the keys in the same place as the code, it would be very easy if someone gained malicious access to the repo to change the key and sign it with the new key.

[soraminazuki]

I thought the commenter was using the repo for a password store, not executable code? The only consequence of not validating that would be them entering invalid credentials. Even if they’re dealing with code, watching out for new commits that change keys is enough. That’s something that people should be doing when using keyservers too.

Anyway, the point is public keyservers aren’t a good match for the described use case. If the key is meant to be kept private, it should be shared privately.