TL;DR: The GPG key fingerprint should be published in order to validate the GPG key installed as part of the installation instructions for Linux.

According to the installation instruction for Linux:

apt
Install the GPG key:
wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
[…]
Update apt sources and install Sublime Text

sudo apt-get update
sudo apt-get install sublime-text

The way it is explained, we will download and install a new trust anchor from https://download.sublimetext.com/sublimehq-pub.gpg. But, given those instructions, there is no way for the end user to ensure the gpg key that will be added is the genuine one. If the download.sublimetext.com web server was subverted and an attacker put his own gpg key here, users will end up happilly installing that subverted key into their keychain. So defeating the whole purpose of signing the packages.

At the very least you should either provide the GPG key fingerprint (ideally from a different/multiple sources) in order for the user to validate the GPG key before installing it. Or give the instructions to verify the downloaded key was signed by an authority the end user will be able to trust.

BTW: congratulations for the great work on Sublime 3. I hope you will fix that minor documentation issue so it will no longer prevent people to install Sublime in a trusted way!

What makes you think the download server and www server are on separate physical machines? Even if they are separate, isn’t it likely that an attack on the download server could be used on the www server, which leaves you in the same situation, right?

Currently, I don’t see what practical security benefits there would be to publishing the GPG fingerprint. In fact, the only thing the GPG key does for you as a user is ensure whoever has published sublime-text previously is either:

1. The same user who published it previously (supposedly Sublime HQ Pty Ltd)
2. Someone else who has a GPG key trusted on your machine

As a counter question for you, what command line options can be passed to apt-key to verify the keyid of a key when adding by filename? Or would you expect the average user to download a key file, run a command to display the key id, manually compare that with a key id on a web page, and then add the key?

Nothing. So you should publish the fingerprint on several independent channels. Or make the key part of a chain that can be ultimately trusted by the user.

My problem is with the “supposedly” part of your statement. While performing an initial installation, there is no way to confirm the key the user is downloading is the genuine one.

I usually do the things in three steps: (1) download the gpg key (2) validate the key (3) if validation passes, install the key on my keychain.

Using fingerprint validation:

(1) wget … > key.gpg
(2) gpg --no-option --with-fingerprint --keyid-format LONG key.gpg

Only if the fingerprint matches the one I’ve obtained from an independent channel:

(3) apt-key add key.gpg

Steps 1 and 2 should would the same both in Debian and RHEL world.

I wrote a whole bunch addressing your points, but I deleted it because I’ve had this conversation before. I know you are fixated on this idea in your head that you have the perfect solution to solving this specific threat model, and you won’t hear any arguments to the contrary.

Your suggestions add effectively no real world security to the install process (because 99.999% of users won’t go to independent sources to verify the key), but will likely cause more users to try to find a “simpler” way to install, like grabbing the .deb directly.

For the 1 in 100,000 users who want the GPG fingerprint, here you go:

• Non-RPM key: 1EDD E2CD FC02 5D17 F6DA 9EC0 ADAE 6AD2 8A8F 901A
• RPM key: 1B64 2796 75A4 299D CFC7 0858 CA46 4A9A 222D 23D0

I’m surprised (1) you read my mind (2) you believe I’m stubborn

Thank you: I didn’t asked for more than that.