
GitHub GPG and Keybase PGP - jdorfman
https://www.ahmadnassri.com/blog/github-gpg-keybase-pgp/
======
geofft
I don't understand what "unverified" means, then. If you can just edit an
unverified key into including the right email address, what's unverified about
it?

Are they trying to say that the @keybase.io email address has not passed email
verification as associated with the account? What's the point of that?

If I compromise someone's git repo (e.g., I trick them into pushing commits
they shouldn't have pushed), I shouldn't be able to cause my own key to show
up as "verified" as the victim's email address. If the victim needs to approve
that key in GitHub's web UI, then what additional benefit does "verified"
bring?

