I was trying to download Debian linux package for nginx

It needs a signing key.

The signing key is verified through public key.

PROBLEM: is public key is ONLY on http page. Https does not work on that page. http://nginx.org/keys/nginx_signing.key

So how do we even know the public key is good? This is strategic download. There could be all kinds of security issues like MITM attack.

I am not key expert, but I know public key must be trustworthy. How come it is not at least protected by SSL so it is more likely the download is good.

Am I crazy? Can we get SSL here?