Pardon my potential ignorance, but as someone that usually does the right thing security-wise, is there really much of an advantage to signify(1) and Sha256 if we are pulling the key and hash over the same HTTPS connection as what we are about to verify? It is not like with sysupgrade(8) where we have a trusted key already on disk.
Pardon my potential ignorance, but as someone that usually does the right thing security-wise, is there really much of an advantage to signify(1) and Sha256 if we are pulling the key and hash over the same HTTPS connection as what we are about to verify? It is not like with sysupgrade(8) where we have a trusted key already on disk.