Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document signing key change for Linux repositories #540

Open
fmoc opened this issue Nov 20, 2023 · 8 comments
Open

Document signing key change for Linux repositories #540

fmoc opened this issue Nov 20, 2023 · 8 comments

Comments

@fmoc
Copy link
Contributor

fmoc commented Nov 20, 2023

With desktop client release v5.0.0 (well, actually with v5.1.2, which brought back Linux packages), we changed our signing key for the Linux packages from the old ones to ownCloud Client Team (Signing Key) <[email protected]> with the fingerprint F05F7DD7953A07DF36579DAA498C45EBE94E7B37.

Users started to notice this change and reported this to us. It turned out that we didn't even mention this change in our documentation. We should change that. Could you please add a short section in the installation instructions that the new key is the one to be used? We could add some more instructions on how to fetch the new key.

CC @michaelstingl

@michaelstingl
Copy link
Contributor

We could add some more instructions on how to fetch the new key.

@fmoc those key update instructions not sufficient?

@fmoc
Copy link
Contributor Author

fmoc commented Nov 23, 2023

They do not emphasize that the key actually has changed. This is what surprised some people. The fingerprint is not expected to ever change, really. We need to communicate actively that the key (fingerprint) is a new one now and that this is expected and safe.

Edit: but yes, the instruction to download and import the key are correct of course, and we recommend people to run these with any upgrade. However, many people use the "latest" alias and get the new releases automatically. They may even just fetch the updated key from the keyservers using gpg once it expires. So, for them, a change is very unexpected.

@phil-davis
Copy link
Contributor

For example, I have Ubuntu 20 and usually updates happen automagically when I am doing routine sudo apt update sudo apt upgrade - the updates come along with whatever other software updates are available across the system.

Because it is pretty automatic, I may not look in detail at the output for a while (which is reporting some key error/not found...). And so I don't even realize that I have missed out on updates.

As well as documenting when the key has changed, it would be really good not to change the key again (for as long as possible).

@proofy

This comment was marked as off-topic.

@fmoc
Copy link
Contributor Author

fmoc commented Nov 24, 2023

Please open another issue with the desktop client in https://github.com/owncloud/client/issues/new to propose your changes. These are off topic here. We have a concrete change (unified signing key) and need to document it.

@fmoc
Copy link
Contributor Author

fmoc commented Nov 24, 2023

As well as documenting when the key has changed, it would be really good not to change the key again (for as long as possible).

That's the idea. Having a unified signing key for all platforms. The old keys (yes, plural) were really, really old and would have had to be replaced for security reasons at some point anyway. We'll be keeping the current one for as long as possible (probably until security wise a key algorithm change is needed again, from RSA to EdDSA for instance).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants