Alternatives to trusting markets for vendors' PGP public key?

All (?) of the markets have the option to tell you the vendor's PGP public key and strongly encourage its use, but if the market was compromised they could easily replace this with something LE could decrypt then re-encrypt with the vendor's real public key and show that to the vendor. Presumably they could get away with this for a while too if they only do this for certain customers (like ones that have a repeat history so not throwaways to test, obviously not the vendor's account, and so forth) and collect data along the way to later go after big enough buyers.

Is there a reliable place to corroborate these keys? Or is there another piece here that I'm missing that makes this attack nontrivial?


Comments


[4 Points] None:

Grams


[2 Points] breakherhip:

ur trippin too much


[2 Points] loollipapa:

Save vendor's public key to your program (gpg4usb is the most easy to use), encrypt it yourself and paste encrypted text into the order.


[2 Points] drugsnboobs:

Keep their keys in your keychain, and store that with TAILS.