Is there anything inherently suspicious about vendors using newly created PGP keys (i.e. created after July) even though they have been around for a good while?
The key matches their key on Grams but there are no old keys I can ask them to sign with to verify it's really them.
what could possibly go wrong
make sure to just tick the box to encrypt via the market while you're at it