TL;DR: The GPG key fingerprint should be published in order to validate the GPG key installed as part of the installation instructions for Linux.
According to the installation instruction for Linux:
Install the GPG key:
wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
Update apt sources and install Sublime Text
sudo apt-get update
sudo apt-get install sublime-text
The way it is explained, we will download and install a new trust anchor from
https://download.sublimetext.com/sublimehq-pub.gpg. But, given those instructions, there is no way for the end user to ensure the gpg key that will be added is the genuine one. If the
download.sublimetext.com web server was subverted and an attacker put his own gpg key here, users will end up happilly installing that subverted key into their keychain. So defeating the whole purpose of signing the packages.
At the very least you should either provide the GPG key fingerprint (ideally from a different/multiple sources) in order for the user to validate the GPG key before installing it. Or give the instructions to verify the downloaded key was signed by an authority the end user will be able to trust.
BTW: congratulations for the great work on Sublime 3. I hope you will fix that minor documentation issue so it will no longer prevent people to install Sublime in a trusted way!