[Geany-Users] public key

On the example page for verifying signatures on signed Geany downloads https://www.geany.org/Support/VerifyGPGSignature, it says:

First, you need to import the public GPG key used to sign the packages. You can download the used public key from: http://download.geany.org/colombanw-pubkey.txt

To import the key use:

|gpg --import < colombanw-pubkey.txt|

|I'm not highly skilled in using PGP keys, so I'm asking. |||Though the use examples on Geany.org are great!| |

|Shouldn't users be importing the signer's public key from a different site / server, than where the signed Geany files are?|

|Like from various key servers, using either the Geany signer's *email address* or the *8 char. ID* for the key?|

|Colomban Wendling ban@herbesfolles.org.  Colomban didn't list the 8 / 16 char. key ID (that I saw) - or the email used when the keys were uploaded to key servers. |

|Should the key ID & email of the key owner be listed in the public key or near it,? I don't know if there's a standard protocol how PGP key ID's or emails should be posted. |

|I assume instructions saying to get a signer's public key from *other* sites (& verify it against > one key server or by other means) are to minimize risk that hackers could compromise both the signed software and the key, if both are on the same server?|

|Some devs seem to put the key ID / |||fingerprint|, email address in the key file, itself - like Mozilla.  Key IDs are the last 8 char. in a key's fingerprint.  They can be used to search key servers to import key(s) (from a different source) to your key ring.| |This is from inside a Mozilla public key on https://ftp.mozilla.org/pub/mozilla.org/firefox/:%7C ||

|pub   rsa4096 2015-07-17 [SC]       14F26682D0916CDD81E37B6D61B7B526D98F0353 uid           [  full  ] Mozilla Software Releases release@mozilla.com sub   rsa4096 2015-07-17 [S] [expires: 2017-07-16] sub   rsa4096 2017-06-22 [S] [expires: 2019-06-22]|

|Note: Mozilla says to verify the public key data elsewhere, because the ones on their site could be compromised (maybe call Mozilla devs on the bat phone).|

|Thanks. |

| |