I was trying to download Debian linux package for nginx
It needs a signing key.
The signing key is verified through public key.
PROBLEM: is public key is ONLY on http page. Https does not work on that page. http://nginx.org/keys/nginx_signing.key
So how do we even know the public key is good? This is strategic download. There could be all kinds of security issues like MITM attack.
I am not key expert, but I know public key must be trustworthy. How come it is not at least protected by SSL so it is more likely the download is good.
Am I crazy? Can we get SSL here?