I was creating a new key for pass when I noticed a random expired GPG key assigned to a certain “Roderick van Domburg” in my list of keys. I don’t know any Rodericks, and this laptop has been whipped clean.

Should I be concerned? How could this even happen???

  • cosmicrose@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    7 months ago

    Many tools that use GPG, especially package managers, will download keys so they can verify signatures. It’s nothing to worry about. That developer probably signed something you use.