rustup warning seems inaccurate to me #54
Description
Hi, rust-lang/rustup#2028 is the current rustup status around PGP validation. In particular we validate the signature on the channel manifest, and then checksums on every file vs the checksum in the manifest.
While rustup releases are not signed, one could build that once and distributed in a secure fashion within in an organisation if needed; downgrade attacks via channel manifest replacement are possible, IFF (rust infrastructure is compromised || TLS is broken), since the manifests are downloaded from https://static.rust-lang.org.
Certificate pinning: we depend on a defaulted set of GPG keys, included in rustup's source and compiled into the binary. TLS certificate pinning : static.rust-lang.org is using dynamically refreshed certs, making pinning hard. If that changes we can consider it.