I’ve started signing releases with my SSH key because I believe this is going to get better in the future, but I’m definitely not ready to stop signing with GPG just due to how janky the validation process is. Having to create the authorized_keys file yourself kinda sucks; I hope this can be improved in the future.
Thank you for the link, this was timely as a project that I want to contribute to asked me to sign my releases and I can’t seem to find my GPG key which I probably haven’t used in 20 years.
FYI, there’s a bug in the instructions on that page: the author uses ~/.ssh/authorized_signatures as a filename at one point when they mean ~/.ssh/allowed_signers. Other that that, it works great!