On a related note, I'd love to use org-plus-contrib packages but there's
no https update, and I still don't understand how to check whether
packages are signed, w/ which keys, where the keys are published.
Maybe I didn't do everything I could but all the other updates on my
system have been far more transparent in that regard---even if unsigned,
I'm at least aware of this, and if signed, I know which key they are
signed with, and the key is in the keyring.