I downloaded unman’s public key. And the unman page on github GitHub - unman/unman
I compared fingerprints here.
Is there any further way to verify unman’s key at present?
There’s many ways to “skin this cat”, IMO it all depends on one’s personal workflow.
Perhaps you might find this white-paper helpful?
That’s a good question.
I don’t have a T shirt. 
You can find the fingerprint in the Forum and on qubes-users, as well as
at qubes.3isec.org, and GitHub.
The GitHub page is signed with another key, which is on the Qubes
website, used for email. (But how to confirm that?)
If you take different routes to those sources - to avoid someone
controlling your network - like checking over Tor, you should have some
confidence in the fingerprint, which is:
rsa4096/4b1f400df25651b53c4141b38b3f30f9c8c0c2ef
1 Like