Re: What would happen to bitcoin if all bitcoin-related stuff on GitHub got banned?
But the forged attacker's keys don't match the real dev's key signature. If you don't compare that the obtained key is actually the proper key, you miss an important step.
But, the attacker carries both the developers' public keys, the binaries / source code, and finally the signatures. Therefore, they have everything needed to alter the software effectively, without notice. For example, I can change Electrum's source code, replace Thomas' key with mine, replace the Thomas' signature with mine, and give it to you. How can you know I've compromised it?Everyone in the world who has imported ThomasV's PGP key (assuming his email is verified), can retrieve the key from a keyserver, attempt to verify your binary, and notice that it fails because of wrong signature.
So the keyserver plays a very important role (I just wish GPG shipped with a default keyserver that actually works!
)