Document signing key change for Linux repositories

[fmoc]

With desktop client release v5.0.0 (well, actually with v5.1.2, which brought back Linux packages), we changed our signing key for the Linux packages from the old ones to ownCloud Client Team (Signing Key) <info@owncloud.com> with the fingerprint F05F7DD7953A07DF36579DAA498C45EBE94E7B37.

Users started to notice this change and reported this to us. It turned out that we didn't even mention this change in our documentation. We should change that. Could you please add a short section in the installation instructions that the new key is the one to be used? We could add some more instructions on how to fetch the new key.

CC @michaelstingl

[mmattel]

Also see: https://chrisjean.com/fix-apt-get-update-the-following-signatures-couldnt-be-verified-because-the-public-key-is-not-available/

[michaelstingl]

We could add some more instructions on how to fetch the new key.

@fmoc those key update instructions not sufficient?

• https://download.owncloud.com/desktop/ownCloud/stable/latest/linux/download/

[fmoc]

They do not emphasize that the key actually has changed. This is what surprised some people. The fingerprint is not expected to ever change, really. We need to communicate actively that the key (fingerprint) is a new one now and that this is expected and safe.

Edit: but yes, the instruction to download and import the key are correct of course, and we recommend people to run these with any upgrade. However, many people use the "latest" alias and get the new releases automatically. They may even just fetch the updated key from the keyservers using gpg once it expires. So, for them, a change is very unexpected.

[phil-davis]

For example, I have Ubuntu 20 and usually updates happen automagically when I am doing routine sudo apt update sudo apt upgrade - the updates come along with whatever other software updates are available across the system.

Because it is pretty automatic, I may not look in detail at the output for a while (which is reporting some key error/not found...). And so I don't even realize that I have missed out on updates.

As well as documenting when the key has changed, it would be really good not to change the key again (for as long as possible).

[michaelstingl]

Related:

• https://twitter.com/proofy/status/1725803381812289607
• https://central.owncloud.org/t/problem-again-with-new-gpg-key-during-update-upgrade/45991

[fmoc]

Please open another issue with the desktop client in https://github.com/owncloud/client/issues/new to propose your changes. These are off topic here. We have a concrete change (unified signing key) and need to document it.

[fmoc]

As well as documenting when the key has changed, it would be really good not to change the key again (for as long as possible).

That's the idea. Having a unified signing key for all platforms. The old keys (yes, plural) were really, really old and would have had to be replaced for security reasons at some point anyway. We'll be keeping the current one for as long as possible (probably until security wise a key algorithm change is needed again, from RSA to EdDSA for instance).