On your build pages you always list PGP/GPG keys. However you let suers download them via HTTP, which means anyone can MITM the connection and replace the keys with rogue keys.
If that is done anyone can install malicious software on your device as the PGP key is not valid. And in your console snippets you also show no other way of validation (of the pgp key or other things).
AFAIK each software has it’s own key making it very complex to verify each key.
Who does use the WoT anyway? I mean what percentage of your users - would you think - has contact to an OpenSuse dev or can build a connection (with other trusted people) to them?
HTTPS certainly increases the security of the transmission. You can still validate it with the WoT - if possible.
And HTTPS is really easy to enable. Currently one cannot even manually access the key via HTTPS - if he changes the URL.
Thanks for the link. It is nice to see that you think about a solution.
I would propose to just self-host the pgp key (and use HTTPS). You do really not need mirrors for it.
Additionally mirrors could modify the PGP key and also serve malicious software, so it is not a good idea to host the PGP key somewhere else anyway.