> If you download software packages from the internet, you may have noticed that some of them are signed with a GPG key. This is done to ensure that the software package has not been tampered with during the download process.
I wonder if someone could clarify this mystery to me: Supposedly the download process is protected by HTTPS, so it can't be tampered with. If we assume that it could be, then the signature that I read off their website also could've been tampered with.
Question: What am I missing?
Package managers don't use https on purpose in order to make it easy to cache a repository.
This is alright from a privacy perspective, because you can find out which packages are downloaded anyway by looking at the download sizes.
Supposedly you would get the GPG key from somewhere else, ideally through a web of trust, although I find it hard to do in practice
Even if you don't get the public key through a web of trust, you download it "once" not every time you download a file, then you keep using it until it expires.
You also typically download it from a different place than the storage location of the signed binary artifacts. This means that an adversary will have a hard time trying to replace a public key and remain undetected.
Forging a signature is super hard, man-in-the-middling an HTTPS connection can be very easy (example: a lot of corporate environments do it).