The current process for verifying Bitcoin ABC binaries is unclear.
An example of how users experience this can be seen here: https://old.reddit.com/r/btc/comments/egj10s/where_can_i_find_bitcoin_abc_pgp_keys/
However, that example only scratches the surface as there are multiple issues here:
- The keys are not easy to find/download.
- Having some copy of the key fingerprints has no gaurantees against tampering of the fingerprints out of the box.
- While verifying the binary hashes match the signature file(s) is easy, not all users verify the integrity of the signature files themselves.
This patch is a good first step to help tackling the above issues. It provides a mechanism for users to easily identify
tampering in any part of the download process, given that they are not downloading a fresh copy of the release keys.
If the later cannot be assumed, the user is provided with the necessary tools to do so for future downloads.