Verify pgp signature with "certificate-pinning"

[k3b]

Is it possible to implement a verification system that garantees that the pgp-signatures (*.asc files) are still correct and that the pgp-signer is still the same?

The current implementation of gradle-witness verifies that the checksum of the lib is correct.

As a developer every time i whish to use a new lib version i have to update the checksum, too.

With the pinned-pgp-signer verification i can declare trust in the signer. there is no need to update the signature in the gralde file when there are version updates. update is only neccessary if the pgp-signer changes