GPG Package Signing Key needs to be in the public keyserver network
-
Please publish the [b][email protected][/b] GPG signing key to the GPG keyserver network so it can be reliably retrieved by gpg. The current HTTP web-site method of distribution the public key is horrendous and not fit for purpose - there is no security in publishing the key over an unencrypted HTTP channel since it could be substituted for some other key, allowing a malicious MITM attacker to install a compromised software package on users devices. Your staff (with email addresses @vivaldi.net) should sign and trust the key so that users can evaluate that trust. I'm surprised a browser 'manufacturer' (who should be focused on the user's security) would distribute code that cannot be trusted in this way.
-
File hashes would be an additional aid but the same issue would occur - unless they're signed by the Vivaldi GPG key, and that key can be got from the public key-servers and is signed by other easily-verified vivaldi.net keys that are associated with well-known publicly visible Vivaldi email addresses, there is no chain of trust.
Considering it only takes 15 seconds to push one's GPG key to a public key-server the fact this issue still endures doesn't inspire confidence.