Comment by IshKebab
2 years ago
> They then upload arbitrary packages on the server
And change the instructions to point to a different GPG key (or none at all).
I think the only situation it possibly helps in is if you are using untrusted mirrors. But then a simple checksum does that too. No need for GPG.
The "different gpg key" would be flagged by a package manager, but (critically) not this tool.