The guide does not provide instructions on how to verify the authenticity of this key itself, therefore rendering any authenticity verifications based on that key obsolete.
Is there any way to verify the authenticity of the GPG key?
Whilst that site seems to go far below acceptable standards, short of visiting in person, and asking to see the fingerprint, in the actual machine room, whether or not a key has been reasonably validated is always going to be a judgement call. If you use https:, do you trust the certificate signer’s client authentication procedures? (Most people using FreePBX use Lets Encrypt, which only has a relatively low level of authentication; would you accept it if the above site had a Lets Encrypt certificate.
On the other hand, repeated accesses across time and space, returning the same GPG key, might well give someone quite high confidence.
Also, you have to establish trust for any instructions on how to verify. If you need step by step instructions, you are vulnerable to instructions from a bad actor.
Actually GPG keys shouldn’t require https, as GPG has its own trust system. It’s been too long since I used the GPG command line tools, so I can’t be sure if the key in question has been signed. (I hasn’t.) Again, though, you have to make your own judgements as to whether you trust the signers. Any canned instructions will reflect the writer’s judgement, not yours.
