-
Notifications
You must be signed in to change notification settings - Fork 668
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[QA] Missing GPG fingerprint/Key on the homepage, so INSTALL.sh does not check the correctness of the GPG keys #11399
Comments
Here is my comment in the other error ticket, which was marked as off-topic there: I'm not a GPG expert, but the more I read into the problem, the more I understand why it's so difficult for open source projects. On the one hand, it should be as easy as possible to carry out an update. Especially for users of the desktop client, you can't assume that they will use any scripts and probably don't understand the problem when the error message appears during the update.
On the other hand, you need to have an instance to check that the keys have not been overwritten by hackers in case the server is hacked (this has happened before with other projects) This is where the homepage would come in handy. In the case of an open source project, an additional complication is that at least two core developers should sign the key whose key is published on all major key servers. Welcome to the European data protection hell ;) BTW, the new key is only valid for one year. The subkey is valid for one year longer. Looks like a contingency plan .... The first step you could take now would be to put the fingerprint of the key on the homepage in the imprint next to the e-mail address. For further improvements in user-friendliness and security, there is certainly still a lot to be done. |
|
This is by design. We extend the expiry date upon every release. |
If the check fails, the script should abort and issue a corresponding warning. |
The server documentation (https://doc.owncloud.com/server/10.13/admin_manual/installation/manual_installation/manual_installation.html#download-owncloud) describes how to check the GPG signature. Unfortunately, it does not work because at least my GPG reports:
Please publish the fingerprint of the current GPG key somewhere. How can I help to solve this problem? |
See owncloud/docs-client-desktop#540. The fingerprint is documented there as well. |
Looks like this was solved... |
Just to explain it as an assumption. As a hacker, I could perhaps gain access to the server that offers Owncloud for download. Since all admins and users are already used to having to install a new key with every major version of Owncloud, they all install the hacker's key and install / update the hacker's Owncloud version on their system, which has the backdoor, unnoticed. |
Pre-submission Checks
Describe the QA issue
It is not possible to check the correctness of the GPG keys used for signing Linux packages.
If a hacker takes over the server, he can also change the keys and upload them to keyservers.
There is no way for the user to check whether the GPG keys used come from the team.
Steps to reproduce the issue
go to https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/Debian_11/
INSTALL.sh does not check the correctness of the GPG signatures
Screenshots
no screenshot
Expected behavior
INSTALL.sh checks the signatures of the packages to be installed using the public GPG key stored on the homepage.
A user can check the correctness of the signatures using the fingerprint for the e-mail address/GPG key from [email protected] on the homepage
Actual behavior
No response
See also
#owncloud/docs-client-desktop#540
The text was updated successfully, but these errors were encountered: