Comment by dredmorbius
7 years ago
See what keys have signed a given key. See Debian maintainer keys as an example.
This is ... not everything that it could be, and is approaching 30 years old, technology built for a vastly different world.
But this is the basis of the GPG / PGP Web of Trust.
https://en.wikipedia.org/wiki/Web_of_trust
http://www.pgpi.org/doc/pgpintro/
http://www.rubin.ch/pgp/weboftrust.en.html
(I've addressed this point ... a distressing number of times on HN: https://hn.algolia.com/?query=dredmorbius%20web%20of%20trust... 0
Have you contacted maintainers if they're willing to do this? Is there a way to configure apt to verify chain of trust?