The attacker can meddle with every step taken before the signature verification. The way you handle the HTTP responses, the way you handle the signature format, all that. Captive portals have already caused corruption issues for Apt, signed packages be damned.
Saying it's "fair" is like saying engine maintenance does not matter because the tires are inflated. There are more components to it.
Ensuring the correctness of your entire stack against an active MITM is significantly more difficult than ensuring the correctness of just a TLS stack against an active MITM.
Saying it's "fair" is like saying engine maintenance does not matter because the tires are inflated. There are more components to it.
Ensuring the correctness of your entire stack against an active MITM is significantly more difficult than ensuring the correctness of just a TLS stack against an active MITM.