You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Oct 5, 2025. It is now read-only.
However, even if it did fetch the keys, due to the trust required, the signature still is not verified. You have to trust keys specifically via interaction.
This means the tool should be configurable to fetch and trust certain keys (on startup). Project maintainers would need to manage a manifest of trusted keys and keep them up to date.
While it's possible to see that commits are PGP signed, the pgp command running in the container does not by default go and fetch public keys
It needs a
gpg.conflike below:However, even if it did fetch the keys, due to the trust required, the signature still is not verified. You have to trust keys specifically via interaction.
This means the tool should be configurable to fetch and trust certain keys (on startup). Project maintainers would need to manage a manifest of trusted keys and keep them up to date.