Comment by SkiFire13
6 months ago
Supposedly you would get the GPG key from somewhere else, ideally through a web of trust, although I find it hard to do in practice
6 months ago
Supposedly you would get the GPG key from somewhere else, ideally through a web of trust, although I find it hard to do in practice
Even if you don't get the public key through a web of trust, you download it "once" not every time you download a file, then you keep using it until it expires.
You also typically download it from a different place than the storage location of the signed binary artifacts. This means that an adversary will have a hard time trying to replace a public key and remain undetected.