Use HTTPS for GPG key download!

On your build pages you always list PGP/GPG keys. However you let suers download them via HTTP, which means anyone can MITM the connection and replace the keys with rogue keys.
If that is done anyone can install malicious software on your device as the PGP key is not valid. And in your console snippets you also show no other way of validation (of the pgp key or other things).

Also your server HTTPS config needs to be fixed:
Outdated ciphers, no Forward Secrecy, RC4, HSTS header too short, …

Also you should allow me to use any characters in my password I want:

That should not be an issue. You should be evaluating keys by their signatures, rather than by how you downloaded them.

With the Web of Trust, I assume…

So, yes of course you might do this, but

  1. You never inform the user about this.
  2. AFAIK each software has it’s own key making it very complex to verify each key.
  3. Who does use the WoT anyway? I mean what percentage of your users - would you think - has contact to an OpenSuse dev or can build a connection (with other trusted people) to them?
  4. HTTPS certainly increases the security of the transmission. You can still validate it with the WoT - if possible.
  5. And HTTPS is really easy to enable. Currently one cannot even manually access the key via HTTPS - if he changes the URL.


These are the openSUSE Forums, not the SUSE one…

Thanks for the link. It is nice to see that you think about a solution.
I would propose to just self-host the pgp key (and use HTTPS). You do really not need mirrors for it.

Additionally mirrors could modify the PGP key and also serve malicious software, so it is not a good idea to host the PGP key somewhere else anyway.