1 comment

[ 5.3 ms ] story [ 15.4 ms ] thread
> If you download software packages from the internet, you may have noticed that some of them are signed with a GPG key. This is done to ensure that the software package has not been tampered with during the download process.

I wonder if someone could clarify this mystery to me: Supposedly the download process is protected by HTTPS, so it can't be tampered with. If we assume that it could be, then the signature that I read off their website also could've been tampered with.

Question: What am I missing?