We use Keybase to publicize our PGP key and give you confidence that the npm registry you install from is the same registry that signs packages.
Keybase offers two advantages over the core OpenPGP experience that move us to recommend it to you:
The Keybase application and CLI provide an excellent user experience for PGP, which can be intimidating for newcomers.
Keybase manages and displays social proofs that the entity that controls a specific PGP key also controls accounts on social media and other places. These proofs help you determine whether you can trust an account.
We’ve established proofs on Keybase that we control @npmjs on Twitter, the domain npmjs.com, and the domain npmjs.org. Verifying these proofs won’t tell you who owns those domains, but it does establish that the same entity controls them and the PGP key advertised on Keybase.