If you knew the answer, then why are you askig for my source for ThomasV key? If you go to Electrum.org and go to the Download page, there is a link to the same URL I posted above. Both electrum.org and the Electrum github I posted above are legit; both of them lead their users to the same PGP key, which is real.
Yes, bad servers give fake github repos with fake wallets, but I linked you THE REAL GitHub repo, which again, you can confirm either by checking it in the electrum.org website or in any other trusted source.
Why can’t you just do your own goddam research to confirm that what I’m saying is true?
how to know that PGP key is real?
The fake sites have signatures for the fake versions so there is no point in verifying signatures
Look, I’m trying to remain patient and explain everything to you. But for this, you will HAVE to read and understand what I’m trying to say to you.
AGAIN: You download ThomasV’s key ONCE from a well known source, like ELECTRUM.ORG, which is real and not a fake website. Then, everytime you need to download a new update from any website, you use that trusted key to verify the unknown file (you know the PGP key is trusted because you know for a fact that you downloaded it from the real website).
YOU DONT DOWNLOAD A NEW KEY EVERYTIME ALONG WITH THE FAKE SOFTWARE FROM THE FAKE WEBSITE.