But the checksums are pgp signed (inline pgp signature inside the sha256 ckecksum file), so as long as the user has the pubkey used for this signature and uses it to verify the checksums, everything is fine. The pubkey long fingerprint is noted on the main iso download page, not on the mirrors pages.
But the PGP signatures, to be secure, need a web of trust. A separate and trusted method to download and verify the keys themselves, and this we don't have.
Probably a certified page with all keys used by the project for signing downloads and builds.
Certified by who? Some commercial CA? IMHO these are less trustable than any randomly picked PGP key. There is no running from it - at some point you need to trust someone.
Security isn't binary. Yes, you have to trust /someone/, that isn't an excuse for not providing the keys over TLS. Just because a rogue CA could mess things up doesn't suddenly make TLS useless.
At this point I trust the openSUSE Project Signing Key 0x3DBDC284 to be okay. I signed it with my key too, so in the future I'll be able to quickly notice if this is the key I trusted today. That is enough of the web of trust, that I need.
This is why the whole web of trust exists. Once you've been signed (in person) into the web of trust, you can verify the "level of trust" for any other key in the WoT, which could include the openSUSE signing keys. -- Aleksa Sarai Docker Core Specialist SUSE Australia https://www.cyphar.com/ -- To unsubscribe, e-mail: email@example.com To contact the owner, email: firstname.lastname@example.org