On 22.03.20 13:02, Dan Purgert wrote: > On Mar 21, 2020, Adrian Zaugg wrote: > The entire point of the public key is that it can be obtained over any > insecure medium, and still provide the correct signature verification.
That is true, yes. But if you get other keys in your keystore than you really wanted, packages do verify that you don't want that they do. You need to verify imported keys, that they belong to the one you think they should. That's why I suggested to use a https-secured link, because at least the server gets identified through the certificates. Regards, Adrian. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng