Currently we only trust metadata downloaded directly from the original upstream registry, enabling forage to opt-in to trust metadata from other instances would mean we can pass metadata around over ipfs and pubsub whilst ensuring it came from one of the sources we trust (upstream registry or some specific forage instances ran by company/friends/services).

To do this we need to have forage instances sign their metadata and be able to verify it using their public key.

Tasks:

• create/add public+private key pair
  • on startup, if no keys, create pair
  • command to refresh keys
  • command to import keys
• manage trusted public keys
  • command to add trusted public key
  • command to remove trusted public key
• share metadata over pubsub
• sign metadata shared over pubsub
• verify metadata received over pubsub
  • ignore metadata responses if verification fails
• signer should be stored with metadata so it can be passed along to other instances