I doubt that it is a good practice to ship the public key used to
sign things in the repository in the repository itself

– Junio C Hamano, git@vger.kernel.org:
expired key in junio-gpg-pub

Git ships with the maintainer’s public key.

But you won’t find it in your worktree—it’s hidden in plain
sight.

Junio Hamano’s public key is a blob in the git object
database. It’s tagged with junio-gpg-pub, so you can only
see it with git cat-file:

(/^ヮ^)/*:・ﾟ✧ git cat-file blob junio-gpg-pub
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
...

In 2021, Junio pretty much said that this was a bad
idea.

But it led me to think about some other wonderful bad ideas.

Fake empty GitHub repos 📦

I made an empty GitHub repo called hidden-zangief.

Except it’s not empty.

Instead, it’s chockfull of sweet ANSI art—Zangief from Street Fighter
II.

And if you clone it, after an initial warning, you can see Zangief is
still in there:

(/^ヮ^)/*:・ﾟ✧ git clone https://github.com/thcipriani/hidden-zangief && cd hidden-zangief
Cloning into 'hidden-zangief'...
warning: You appear to have cloned an empty repository.
(/^ヮ^)/*:・ﾟ✧ git fetch origin refs/atomic/piledriver
remote: Enumeratin