[freeone3000]

This attestation doesn’t change a ton with that, though. The point is to provide chain of custody — it got to my computer, from pypi, from ???. The PGP signature, much like a self-signed android app, verifies that it continues to be the same person.

[woodruffw]

The critical difference with this architecture is that it doesn’t require key discovery or identity mapping: those are properties of the key infrastructure, similarly to the Web PKI.

Your self-signed app analogy is apt: self-signing without a strong claimant identity proof is a solution, but a much weaker one than we wanted.