On Apr 05, 2020, Adrian Zaugg wrote: > > > On 22.03.20 13:02, Dan Purgert wrote: > > On Mar 21, 2020, Adrian Zaugg wrote: > > The entire point of the public key is that it can be obtained over any > > insecure medium, and still provide the correct signature verification. > > That is true, yes. But if you get other keys in your keystore than you > really wanted, packages do verify that you don't want that they do. You > need to verify imported keys, that they belong to the one you think they > should. That's why I suggested to use a https-secured link, because at > least the server gets identified through the certificates.
OK, so now you've "verified(tm)" that you successfully got "devuan_a1gn1ng_key" from https://devane.com/pgp.asc. Great that you were able to verify the server. But you still got a bogus key :) Which was pretty much my point -- TLS doesn't protect you from getting sent the wrong key, if you somehow got directed to the wrong site... -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
signature.asc
Description: PGP signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng