A lot of software is distributed with PGP keys. These can theoretically be used to verify that the software was created by the person who owns the key. (Sorry if I get the PGP details wrong, I have no practical experience with it.)
Software also comes over HTTPS. With Let’s Encrypt, the verification is tied to ownership of the domain (DNS records I think). So if you’re on ubuntu.com with HTTPS, you’re getting files only approved by whoever owns the ubuntu.com domain.
HTTPS is super convenient. If you’re paranoid, or the entire chain is not HTTPS (HTTPS links to HTTP downloads), you can use a hash program. Hash programs are implemented on all major OSs. It’s visually inspectable.
PGP on the other hand is such a mess that even some cryptographers don’t like it.
What practical threats would be stopped by a PGP key that are not stopped by HTTPS?
✅ plan A
- good guy owns software.org
- encrypts with let’s encrypt (only provided if they prove DNS ownership of software.org)
- https page serves software download
✅ plan B
- good guy owns software.org and has at some point signed a public key
- serves page on software.org with software verifiable with PGP key import
❌ plan C
- bad guy owns software.org
- software is compromised, but you would never know
- software is malware
❌ plan D
- bad guy owns software.org
- did not compromise the public key (created years prior by the true owner)
- they cannot distribute software that matches the public key
- software is malware, served over valid https, and verifiable with malware hashes served by bad guy
So you trust every single mirror to never be compromised?
How do you verify the hash?