On 22.03.20 13:02, Dan Purgert wrote:
> On Mar 21, 2020, Adrian Zaugg wrote:
> The entire point of the public key is that it can be obtained over any
> insecure medium, and still provide the correct signature verification.

That is true, yes. But if you get other keys in your keystore than you
really wanted, packages do verify that you don't want that they do. You
need to verify imported keys, that they belong to the one you think they
should. That's why I suggested to use a https-secured link, because at
least the server gets identified through the certificates.

Regards, Adrian.