I was creating a new key for pass when I noticed a random expired GPG key assigned to a certain “Roderick van Domburg” in my list of keys. I don’t know any Rodericks, and this laptop has been whipped clean.
Should I be concerned? How could this even happen???
Many tools that use GPG, especially package managers, will download keys so they can verify signatures. It’s nothing to worry about. That developer probably signed something you use.