On Apr 05, 2020, Adrian Zaugg wrote:
>
>
> On 22.03.20 13:02, Dan Purgert wrote:
> > On Mar 21, 2020, Adrian Zaugg wrote:
> > The entire point of the public key is that it can be obtained over any
> > insecure medium, and still provide the correct signature verification.
>
> That is true, yes. But if you get other keys in your keystore than you
> really wanted, packages do verify that you don't want that they do. You
> need to verify imported keys, that they belong to the one you think they
> should. That's why I suggested to use a https-secured link, because at
> least the server gets identified through the certificates.

OK, so now you've "verified(tm)" that you successfully got
"devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you
were able to verify the server. But you still got a bogus key :)

Which was pretty much my point -- TLS doesn't protect you from getting
sent the wrong key, if you somehow got directed to the wrong site...


--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281