> If you download software packages from the internet, you may have noticed that some of them are signed with a GPG key. This is done to ensure that the software package has not been tampered with during the download process.
I wonder if someone could clarify this mystery to me: Supposedly the download process is protected by HTTPS, so it can't be tampered with. If we assume that it could be, then the signature that I read off their website also could've been tampered with.
Even if you don't get the public key through a web of trust, you download it "once" not every time you download a file, then you keep using it until it expires.
You also typically download it from a different place than the storage location of the signed binary artifacts. This means that an adversary will have a hard time trying to replace a public key and remain undetected.
I wonder if someone could clarify this mystery to me: Supposedly the download process is protected by HTTPS, so it can't be tampered with. If we assume that it could be, then the signature that I read off their website also could've been tampered with.
Question: What am I missing?
This is alright from a privacy perspective, because you can find out which packages are downloaded anyway by looking at the download sizes.
You also typically download it from a different place than the storage location of the signed binary artifacts. This means that an adversary will have a hard time trying to replace a public key and remain undetected.