{ pkgs, ... }:
{
  services = {
    gpg-agent.defaultCacheTtl = 1209600;
    gpg-agent.pinentry.package = pkgs.pinentry-tty;
  };

  # Fun video btw
  # https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
  programs.gpg.publicKeys =
    let
      fromUrl =
        {
          url,
          hash,
          # https://security.stackexchange.com/a/69089
          # One lower than ultimate (introducer in the web of trust) is good enough.
          trust ? 4,
        }:
        {
          source = pkgs.fetchurl { inherit url hash; };
          inherit trust;
        };

      github =
        { user, ... }@args:
        fromUrl (builtins.removeAttrs args [ "user" ] // { url = "https://github.com/${user}.gpg"; });
    in
    map github [
      # Do not depend on my own forgejo instance / self-host server to avoid a single point of failure
      {
        user = "leana8959";
        hash = "sha256-Y+v/8bLkyUIe4vjToChQP3ChPxRV/DqI72OTsx6F0oo=";
        trust = 5;
      }
      {
        user = "vanilla-extracts";
        hash = "sha256-6JulBVFmbOHAI7tHiS0Q7L5oQVOXtkUmOLz3+Yz27ec=";
      }
      {
        user = "jappeace";
        hash = "sha256-wJ4hiE7M7dcEMaE8waNZEi+tybpVIsFzoeDJhIIaLhk=";
      }
      {
        user = "confusedkernel";
        hash = "sha256-9DdtDAcv+2Z0jJMSLAXbp5ne8uHYj5V/lNGi0kKSdv4=";
      }
      {
        user = "gautaz";
        hash = "sha256-j0I9l8uKfzKNrc2qveFi5mkRppxL36+BUEqvFPs6vqA=";
      }
    ]
    ++ map fromUrl [
      {
        url = "https://eragon.re/pubkey.asc";
        hash = "sha256-xvNB+BxqxHqdVBnMhzX3eenN3KmjmdATFPHkPUGweAA=";
      }
    ];
}