Long answer (everything is my personal opinion on the topic) : you can’t ! Or more precisely, the only “truly secure” (sigh) way to know that it is the right key to use is to meet someone from the dev team, who manages the signing of those images, and ask him physically in person what is the fingerprint of the key.
Any other mean will basically be “getting the info through HTTPS” - which is the same protocol you used to get the image in the first place and could be compromised somehow.
Well then, you could also assume that “a reasonably powerful attacker might be able to corrupt the image, but would not be powerful enough to compromise the whole HTTPS stack and / or the pgp.mit.edu server” … and that it might not be powerful enough to impersonate me and craft this answer on your specific topic on this forum… But that’s up to you
You could also check how well this key is cross-signed by other people you trust through the web of trust (but unfortunately I think it is not signed by a lot of people, even us from the dev team…) (and you would get this info through HTTPS).
My opinion is that, yes, HTTPS isn’t great. But the risk of HTTPS being entirely compromised is too low compared to the cost involved in not trusting HTTPS… (at least in this context)
But other people including you might have legitimate counterarguments depending on assumptions/context/threat model ¯\_(ツ)_/¯
Thanks for the explanation. It does give me some reassurance.
I actually imported that key manually though, since it was listed on the security page. However, the zip I downloaded (3.1.0 for Raspberry Pi) was signed by another one supposedly belonging to build@yunohost.org. This one: