On 27.10.20 03:45, Eli Schwartz via arch-general wrote:
The point of a signing key is to say "this key certifies the correct software and I commit to using it. Anything else is automatically suspect as malware".
You don't immediately respond by saying "well it came from the same website and some unverified source told me the key totally got lost but it's fine. So let's blindly click accept".
The only thing a signing key accomplishes is that you can verify what other commits were made by that signing key, i. e. person. If you verified the key via a second channel you also know the person the key belongs to. Anything beyond that is just a point of view. A signing key has nothing to do with malware at all. What made you think the software hasn't been malware in the first place? What makes you think the person owning that signing key isn't writing good software until some distros are trusting his key, adding the software as official package and then the person starts implementing evil backdoors? I'm just wondering, because you can easily write malicious software and sign it with the same key all the time.