Please publish gpg fingerprints etc for repo/ package signing etc

[xpseudonym]

What is the issue?

...
Tailscale stable                                                                                     11 kB/s | 3.1 kB     00:00    
Importing GPG key 0x957F5868:
 Userid     : "Tailscale Inc. (Package repository signing key) <info@tailscale.com>"
 Fingerprint: 2596 A99E AAB3 3821 893C 0A79 458C A832 957F 5868
 From       : https://pkgs.tailscale.com/stable/rhel/9/repo.gp
...

But the best result, using the search engine on 2596 A99E AAB3 3821 893C 0A79 458C A832 957F 5868 is RHEL install error - Bad GPG signature #3540 bug closed 3 years ago - which seeing it there I figured is a fairly good indication that the fingerprint was correct - but, it's not quite the same as publishing these things on a certified site.

Steps to reproduce

$ sudo dnf install tailscale

Are there any recent changes that introduced the issue?

Doubtful

OS

Linux

OS version

rhel 9.4

Tailscale version

1.72.1-1

Other software

n/a

Bug report

No response

[vocatan]

I just finished installing Tailscale on a machine in Ireland, and the curl -fsSL https://tailscale.com/install.sh command wouldn't even complete

As a workaround, I updated the /etc/hosts file on the machine as follows:

199.38.181.239 pkgs.tailscale.com
109.105.218.17 dl.tailscale.com
52.28.255.255 controlplane.tailscale.com

It might not be optimal -but it worked well enough to get the machine online for me to remotely use it.

[vocatan]

Without the above workaround, this is the error I was getting:

/tmp# curl -fsSL https://tailscale.com/install.sh
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[xpseudonym]

@vocatan can you explain the relationship of your posts to the subject of this issue please?

[vocatan]

I was just trying to install Tailscale on another machine and thought that my experiences seemed similar to what you were experiencing.

I'm just a user of the software myself, not involved with development - so take my comments with a grain of salt..

[xpseudonym]

Thanks @vocatan, It seems your issue is with DNS - whereas the OP is a query about where to find a published and certified copy of the PGP package signing cert fingerprint - the relationship between the two might be thought of as similar to that between fish and bicycles.
If you're not confident you're on topic, it's probably best not saying anything at all - obfuscation and confusion is not conducive to bug busting.

[xpseudonym]

This is an example of the sort of Web page I'd expect Tailscale to publish somewhere if it was serious about the security of its software:
'Fedora keeps you safe'

[ElectricTea]

I found this github issue while searching for the tailscale gpg fingerprint. The fingerprint would be a great addition on the tailscale FAQ. https://tailscale.com/kb/1366/faq

[watson28]

any update on this? This seems something fundamental to expose.