[security] Ensure to retrieve the correct PGP public keys by importing by there fingerprint.

[ypid]

See jchaney/owncloud#12

Vulnerable lines: https://github.com/owncloud/vm/blob/cf6aa232b4e6731bddf00dfd804070cd461eeeb2/vagrant/oc9ce/build-ubuntu-vm.sh#L136

Downloading the PGP key via HTTP and then downloading the packages from the same origin does not make any sense!

[ypid]

BTW. The fix which has been merged into https://github.com/nextcloud/vm could also be used here.
The build script still downloads both the packages and OpenPGP key via HTTP without even checking the fingerprint.
Ref: nextcloud/vm#19

[enoch85]

@ypid Have you seen this? nextcloud/vm#52

Does this has to do with anything in this issue?

Please create a PR, this is not my expertise area.

[enoch85]

Oh, sorry, thought we were on the Nextcloud VM repo now. Just realized that this is the ownCloud repo. Anyway, please make a PR. :)

Thanks!

[ypid]

I don’t use either of your VMs. I just wanted to draw your attention back at this issue which makes your build process vulnerable. Please feel encouraged to get familiar with this area and I will be happy to review your PR and give you feedback.

[enoch85]

cc @kawohl