seems like a wide gaping hole in the process for checking integrity of e.g. linux distro releases


Many linux distributions recommend using downloaded signing keys to verify the integrity of downloaded checksums. This seems utterly ridiculous to me, since the downloaded keys are just as suspect as the downloaded checksums. And checking key fingerprints is exactly the same thing, ie the page with the fingerprints is just another file downloaded by my browser.

Example: https://getfedora.org/en/security/

If I trust the PKI of my browser (assuming https) to authenticate the key or key fingerprints, then I dont need the signing process in the first place. But of course I DONT trust the PKI because the list of root certs distributed with major OS’s is chocked full of very very dodgy CAs.

At minimum, shouldn’t the keys of a new release be signed with the keys of the previous release? That way you can maintain a chain of integrity.

Given that the same process is used for GPG: https://gnupg.org/signature_key.html I assume I am being a moron and missing something obvious. Can anyone explain?