Author: Dan Purgert Date: To: dng Subject: Re: [DNG] Beowulf Beta is here!
On Apr 05, 2020, Adrian Zaugg wrote: >
> On 22.03.20 13:02, Dan Purgert wrote:
> > On Mar 21, 2020, Adrian Zaugg wrote:
> > The entire point of the public key is that it can be obtained over any
> > insecure medium, and still provide the correct signature verification.
> That is true, yes. But if you get other keys in your keystore than you
> really wanted, packages do verify that you don't want that they do. You
> need to verify imported keys, that they belong to the one you think they
> should. That's why I suggested to use a https-secured link, because at
> least the server gets identified through the certificates.
OK, so now you've "verified(tm)" that you successfully got
"devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you
were able to verify the server. But you still got a bogus key :)
Which was pretty much my point -- TLS doesn't protect you from getting
sent the wrong key, if you somehow got directed to the wrong site...