its dangerous if my key leaks yeah. it might be better to source the release pubkey from a server, but then you have to worry about the server getting compromised I still think it's less risky then what we saw on zapstore where people were posting malware versions of apps