Is it responsible to sign an OpenPGP key without verifying person's identity?

Question

I frequently use GPG to verify downloads. By doing that I implicitly put trust in a key provided by the author. At least I trust the key enough to run software verified using the given key on my computer. Some examples might be a GNU/Linux distribution maintainer's key published on its homepage (available over HTTPS) or a program author referencing his Keybase.io profile that is intended to be used to obtain a GPG key for singed packages verification.

To mark such a keys as trusted explicitly instead of just importing them into my keyring it looks reasonable to sign them with my key. Persona certification level (0x11) seems to be appropriate in this case. Extending that it might be useful to make my signatures publicly available so a friend of mine downloading a package from the same author could benefit from having the key double-checked as safe to use.

Are there any substantial drawbacks to this approach except privacy concerns?

Answer 1

There are no rules on your personal certification policy. In fact, RFC 4880, OpenPGP states:

There are a number of possible meanings for a signature, which are indicated in a signature type octet in any given signature. Please note that the vagueness of these meanings is not a flaw, but a feature of the system. Because OpenPGP places final authority for validity upon the receiver of a signature, it may be that one signer's casual act might be more rigorous than some other authority's positive act. [...]

I already provided further discussion on the meaning (and vagueness) of certifications in "Is it okay to sign a PGP key without an IRL meeting?".

If you are sure about the software project's key, and also consider it might be relevant to share this attestation, providing a public certification might be a reasonable thing to do. Personally, I also do (but didn't do often, yet), using the very same "sig1/0x11" signature level. If you put deeper thought on what certification levels to use and have a more or less rigid definition, providing a certification policy ("What are you saying when you sign a PGP key?") might be helpful if others actually consider following your certifications in the web of trust.

If you use GnuPG and only want to issue a "private" signature which should not be shared with keyservers and otherwise exported, there is also the local signature (lsign) feature.