GPG signing key for 19.0.3

[nblock]

The download website at https://nextcloud.com/install/#instructions-server references the signature key at https://nextcloud.com/nextcloud.asc. The fingerprint for this key is: 2880 6A87 8AE4 23A2 8372 792E D758 99B9 A724 937A and all releases except 19.0.3 have been signed with this key. However, the tarball https://download.nextcloud.com/server/releases/nextcloud-19.0.3.tar.bz2 and the respective detached signature from https://download.nextcloud.com/server/releases/nextcloud-19.0.3.tar.bz2.asc have been signed with A438DC095967A1F11601CC42B69CB7F1069B3399.

Steps to reproduce

1. Import nextcloud signing key from https://nextcloud.com/nextcloud.asc
2. Download 19.0.3 release: https://download.nextcloud.com/server/releases/nextcloud-19.0.3.tar.bz2
3. Download the detached signature: https://download.nextcloud.com/server/releases/nextcloud-19.0.3.tar.bz2.asc
4. Verify: gpg --verify nextcloud-19.0.3.tar.bz2.asc

Expected behaviour

The release should be signed with the offered signing key.

Actual behaviour

The release was signed with a new key, that has not been published on the website.

$ gpg --verify nextcloud-19.0.3.tar.bz2.asc 
gpg: assuming signed data in 'nextcloud-19.0.3.tar.bz2'
gpg: Signature made Wed Sep  9 13:45:51 2020 CEST
gpg:                using RSA key A438DC095967A1F11601CC42B69CB7F1069B3399
gpg: Can't check signature: No public key

[kesselb]

@rullzer 👀

[rullzer]

O joy it is picking up the new signing sub key.

[rullzer]

Solved. thanks for reporting