>so they stress that you need to verify the image signature against their GPG signing key which is distributed via github.
If someone has the ability to MiTM HTTPS connections, they could just as easily MiTM the victim's connection to github to return a different GPG signing key. Also, the protection requires active checking rather than coming 'for free' like it does by downloading via HTTPS, so 95%+ of the users won't bother and won't have any protection.
I think CoreOS took a big step backwards here. Just offer the download links via HTTPS in addition to the GPG key. That way people that don't bother with GPG have protection.
If you use CoreOS, you just need to get the Core OS key one time, and sign it with your own key, then let the keyservers mirror it for you. An adversary can still make sure you can't connect to any key servers -- but it's an order of magnitude easier to verify a single GPG key (even if that involves getting on a plane and talking to a CoreOS developer in person) -- than it is to verify every single CA cert shipped with your browser.
Just look at the latest CNNIC key removal: essentially Google and Firefox are saying that SSL was never secure, because we couldn't trust CNNIC, even though everyone shipped their keys.
Before that, no browser was secure, because a number of CAs were compromised, and or incompetent.
While GPG isn't some magic dust that makes trust easy -- it's crazy to claim that SSL is somehow more secure, or more importantly, easier to trust.
[edit: And that doesn't even touch on the number of lines of code involved, the directness of the path between what is signed, and who will use it (security of the web server, dns etc not an issue if you know you can trust the GPG signature...]
SSL does nothing to guarantee the integrity of code you download and run off the internet.
I'm not worried about MITM attacks, SSL provides adequate protection against those in most cases; but if someone gains access to the coreos systems SSL would not help.
In this case, I have a GPG key saved for the coreos image signing, which hopefully is done offline and I got that through a third party which I have a certain amount of trust on (github), and I can always verify it on other channels.
But did you verify it on other channels? Or did you do like 99.9% of users and assume nobody would be attacking you? My point is mainly that gpg is such a usability nightmare that it's effectively a broken security model.
If someone has the ability to MiTM HTTPS connections, they could just as easily MiTM the victim's connection to github to return a different GPG signing key. Also, the protection requires active checking rather than coming 'for free' like it does by downloading via HTTPS, so 95%+ of the users won't bother and won't have any protection.
I think CoreOS took a big step backwards here. Just offer the download links via HTTPS in addition to the GPG key. That way people that don't bother with GPG have protection.