[sarciszewski]

> I'm not sure what PGP would buy us over everything going over https from sites under Meteor's control?

Rogue CA certificates, targeted MITM -> RCE attacks (Nation State Adversaries, etc.)

By using PGP (or, hell, openssl) to sign the package with a key that remains offline/air-gapped and then writing installer instructions that verify the signature before running anything, you reduce the odds of this happening significantly.

Additionally, it allows you to mirror the contents on CDNs with some peace of mind.