-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document signing key change for Linux repositories #540
Comments
@fmoc those key update instructions not sufficient? |
They do not emphasize that the key actually has changed. This is what surprised some people. The fingerprint is not expected to ever change, really. We need to communicate actively that the key (fingerprint) is a new one now and that this is expected and safe. Edit: but yes, the instruction to download and import the key are correct of course, and we recommend people to run these with any upgrade. However, many people use the "latest" alias and get the new releases automatically. They may even just fetch the updated key from the keyservers using |
For example, I have Ubuntu 20 and usually updates happen automagically when I am doing routine Because it is pretty automatic, I may not look in detail at the output for a while (which is reporting some key error/not found...). And so I don't even realize that I have missed out on updates. As well as documenting when the key has changed, it would be really good not to change the key again (for as long as possible). |
This comment was marked as off-topic.
This comment was marked as off-topic.
Please open another issue with the desktop client in https://github.com/owncloud/client/issues/new to propose your changes. These are off topic here. We have a concrete change (unified signing key) and need to document it. |
That's the idea. Having a unified signing key for all platforms. The old keys (yes, plural) were really, really old and would have had to be replaced for security reasons at some point anyway. We'll be keeping the current one for as long as possible (probably until security wise a key algorithm change is needed again, from RSA to EdDSA for instance). |
With desktop client release v5.0.0 (well, actually with v5.1.2, which brought back Linux packages), we changed our signing key for the Linux packages from the old ones to
ownCloud Client Team (Signing Key) <[email protected]>
with the fingerprintF05F7DD7953A07DF36579DAA498C45EBE94E7B37
.Users started to notice this change and reported this to us. It turned out that we didn't even mention this change in our documentation. We should change that. Could you please add a short section in the installation instructions that the new key is the one to be used? We could add some more instructions on how to fetch the new key.
CC @michaelstingl
The text was updated successfully, but these errors were encountered: