[torium]

> If you download software packages from the internet, you may have noticed that some of them are signed with a GPG key. This is done to ensure that the software package has not been tampered with during the download process.

I wonder if someone could clarify this mystery to me: Supposedly the download process is protected by HTTPS, so it can't be tampered with. If we assume that it could be, then the signature that I read off their website also could've been tampered with.

Question: What am I missing?

[armitron]

Forging a signature is super hard, man-in-the-middling an HTTPS connection can be very easy (example: a lot of corporate environments do it).

[landgenoot]

Package managers don't use https on purpose in order to make it easy to cache a repository.

This is alright from a privacy perspective, because you can find out which packages are downloaded anyway by looking at the download sizes.

[SkiFire13]

Supposedly you would get the GPG key from somewhere else, ideally through a web of trust, although I find it hard to do in practice

[armitron]

Even if you don't get the public key through a web of trust, you download it "once" not every time you download a file, then you keep using it until it expires.

You also typically download it from a different place than the storage location of the signed binary artifacts. This means that an adversary will have a hard time trying to replace a public key and remain undetected.