I was trying to download Debian linux package for nginx It needs a signing key. The signing key is verified through public key. PROBLEM: is public key is ONLY on http page. Https does not work on that page. http://nginx.org/keys/nginx_signing.key So how do we even know the public key is good? This is strategic download. There could be all kinds of security issues like MITM attack. Iby momo - Ideas and Feature Requests