On Apr 05, 2020, Adrian Zaugg wrote:
> 
> 
> On 22.03.20 13:02, Dan Purgert wrote:
> > On Mar 21, 2020, Adrian Zaugg wrote:
> > The entire point of the public key is that it can be obtained over any
> > insecure medium, and still provide the correct signature verification.
> 
> That is true, yes. But if you get other keys in your keystore than you
> really wanted, packages do verify that you don't want that they do. You
> need to verify imported keys, that they belong to the one you think they
> should. That's why I suggested to use a https-secured  link, because at
> least the server gets identified through the certificates.

OK, so now you've "verified(tm)" that you successfully got
"devuan_a1gn1ng_key" from https://devane.com/pgp.asc.  Great that you
were able to verify the server.  But you still got a bogus key :)

Which was pretty much my point -- TLS doesn't protect you from getting
sent the wrong key, if you somehow got directed to the wrong site...


-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Reply via email to