In order to download the Linux Mint keyring you propose the link http://packages.linuxmint.com/pool/main/l/linuxmint-keyring/?ref=itsfoss.com.
It uses an unsecure http connection. The downloaded keys therefore can not be considered to arrive unaltered from packages.linuxmint.com. In order to use such a key, one has to verify its fingerprint using a https connection. But from whete do I get the fingerprint of the key I am going to use?
Also I am missing signed-by=/etc/apt/keyrings/....gpg between deb and the URL in the file /etc/apt/sources.list.d/mint.list. One should no longer use the trusted keyrings which allow cross-signing: each key allows verification of any package which oipens a security risk!
In order to download the Linux Mint keyring you propose the link http://packages.linuxmint.com/pool/main/l/linuxmint-keyring/?ref=itsfoss.com. It uses an unsecure http connection. The downloaded keys therefore can not be considered to arrive unaltered from packages.linuxmint.com. In order to use such a key, one has to verify its fingerprint using a https connection. But from whete do I get the fingerprint of the key I am going to use?
Also I am missing signed-by=/etc/apt/keyrings/....gpg between deb and the URL in the file /etc/apt/sources.list.d/mint.list. One should no longer use the trusted keyrings which allow cross-signing: each key allows verification of any package which oipens a security risk!