Yes the curl -fsSLo adds the brave keyring but as far as i understand it the “echo | tee” command only writes the contents of echos quotationmarks into the defined file in tee.
Edit: Therefore i am asking if step 2 and 3 are obsolete ? and if so how can i manually verify the package ?
tee will write its input to the specified file, as well as stdout. Looks to me like this is in the instructions for ‘visibility’ purposes, i.e. to print on the terminal what is also being written out to the file.
After that, the ‘signed-by’ option appears to be explained here:
So in short, the curl writes out the key file, and the subsequent command tells your package manager (apt) to use that exact key for verifying packages from the Brave repo.
After that, it is the responsibility of your package manager to perform PGP/GPG verification of packages it gets from that repo. This should be happening automatically every time a new package is downloaded.
If you really wanted to verify the files by hand I suggest looking this up in some of the Debian docs as this would be specific to the .deb package format.
Yes, apt or apt-get (I haven’t used Debian in a while so I don’t recall which), or one of the other components in the package manager toolchain, will do this for you. It should happen for Debian’s own packages as well as those from other repositories you add, such as Brave’s, provided you supply it a public key against which it can perform signature verification.