Agree with the points on PGP and other features. I almost made a lengthier reply mentioning the signing issues, which seems appropriate now. It would not be easy, but a successful implementation would definitely need clients to automatically detect and verify signed content, due to the human issues you mention. A problem is obtaining public keys from a trusted source. Maybe it could be attached to profile information with a 2FA requirement to modify it. Just an idea. In this way, verification is not dependent on the user to perform.

PGP private keys are harder to steal than JWTs, as they are not generally stored as a long-term cookie but briefly just to sign something. Through XSS (the vulnerability in this case), cookies are relatively easy to steal, but to steal a PGP key would require a more complex script able to steal the key at the time it is loaded in the browser (assuming the signing feature is implemented in the browser). It’s a bit more sophisticated, but not totally bulletproof.

No, the vulnerability was due to a client-side bug in the Lemmy web UI. Mobile apps render content in a different way, and are not vulnerable to this kind of attack (apart from in exceptional circumstances).

Should probably log out and back in still though.