So I was just about to go ahead and make and order with a vendor but once I imported their PGP key I saw it was attached to a gmail account. I've never used any vendor who has had a gmail email put in as the email on their PGP key, most have sigaint addresses attached. Is using gmail for this a flaw in his OPSEC? He is a relatively new vendor though has a few reviews and they're all positive. I'm just concerned about using a vendor that may have a flaw in their OPSEC before I even order.
Could it be fake?