list steps to verify public pgp key used for signing for apt on https://riot.im/desktop.html #6824
Comments
|
After doing an in-person verification with the Riot repository uploaders, I've signed the repository key with my own key, which is in the Debian keyring, and uploaded it to sks-keyservers.net, so the repository key can be verified in that way. I'm not sure what's the best way to write up instructions for how to do the verification. |
|
The instructions no longer say this & use a specific key for the repo - seems this is no longer relevant? |
|
Yeah and the author is a ghost, so I think we can close this. Shout if you disagree |
|
(being a ghost doesn't make the issue invalid, but agreed that this issue has served its useful purpose) |
BBaoVanC
added a commit
to boba-best/element.boba.best
that referenced
this issue
Oct 11, 2021
* Decrease profile button touch target ([\element-hq#6900](matrix-org/matrix-react-sdk#6900)). Contributed by [ColonisationCaptain](https://github.com/ColonisationCaptain). * Don't let click events propagate out of context menus ([\element-hq#6892](matrix-org/matrix-react-sdk#6892)). * Allow closing Dropdown via its chevron ([\element-hq#6885](matrix-org/matrix-react-sdk#6885)). Fixes element-hq#19030 and element-hq#19030. * Improve AUX panel behaviour ([\element-hq#6699](matrix-org/matrix-react-sdk#6699)). Fixes element-hq#18787 and element-hq#18787. Contributed by [SimonBrandner](https://github.com/SimonBrandner). * A nicer opening animation for the Image View ([\#6454](matrix-org/matrix-react-sdk#6454)). Fixes element-hq#18186 and element-hq#18186. Contributed by [SimonBrandner](https://github.com/SimonBrandner). * [Release] Fix space hierarchy pagination ([\element-hq#6910](matrix-org/matrix-react-sdk#6910)). * Fix leaving space via other client leaving you in undefined-land ([\element-hq#6891](matrix-org/matrix-react-sdk#6891)). Fixes element-hq#18455 and element-hq#18455. * Handle newer voice message encrypted event format for chat export ([\element-hq#6893](matrix-org/matrix-react-sdk#6893)). Contributed by [jaiwanth-v](https://github.com/jaiwanth-v). * Fix pagination when filtering space hierarchy ([\element-hq#6876](matrix-org/matrix-react-sdk#6876)). Fixes element-hq#19235 and element-hq#19235. * Fix spaces null-guard breaking the dispatcher settings watching ([\element-hq#6886](matrix-org/matrix-react-sdk#6886)). Fixes element-hq#19223 and element-hq#19223. * Fix space children without specific `order` being sorted after those with one ([\element-hq#6878](matrix-org/matrix-react-sdk#6878)). Fixes element-hq#19192 and element-hq#19192. * Ensure that sub-spaces aren't considered for notification badges ([\element-hq#6881](matrix-org/matrix-react-sdk#6881)). Fixes element-hq#18975 and element-hq#18975. * Fix timeline autoscroll with non-standard DPI settings. ([\element-hq#6880](matrix-org/matrix-react-sdk#6880)). Fixes element-hq#18984 and element-hq#18984. * Pluck out JoinRuleSettings styles so they apply in space settings too ([\element-hq#6879](matrix-org/matrix-react-sdk#6879)). Fixes element-hq#19164 and element-hq#19164. * Null guard around the matrixClient in SpaceStore ([\element-hq#6874](matrix-org/matrix-react-sdk#6874)). * Fix issue (https ([\element-hq#6871](matrix-org/matrix-react-sdk#6871)). Fixes element-hq#19138 and element-hq#19138. Contributed by [psrpinto](https://github.com/psrpinto). * Fix pills being cut off in message bubble layout ([\element-hq#6865](matrix-org/matrix-react-sdk#6865)). Fixes element-hq#18627 and element-hq#18627. Contributed by [robintown](https://github.com/robintown). * Fix space admin check false positive on multiple admins ([\element-hq#6824](matrix-org/matrix-react-sdk#6824)). * Fix the User View ([\element-hq#6860](matrix-org/matrix-react-sdk#6860)). Fixes element-hq#19158 and element-hq#19158. * Fix spacing for message composer buttons ([\element-hq#6852](matrix-org/matrix-react-sdk#6852)). Fixes element-hq#18999 and element-hq#18999. * Always show root event of a thread in room's timeline ([\element-hq#6842](matrix-org/matrix-react-sdk#6842)). Fixes element-hq#19016 and element-hq#19016.
williamkray
added a commit
to williamkray/element-web
that referenced
this issue
Nov 9, 2021
* Decrease profile button touch target ([\element-hq#6900](matrix-org/matrix-react-sdk#6900)). Contributed by [ColonisationCaptain](https://github.com/ColonisationCaptain). * Don't let click events propagate out of context menus ([\element-hq#6892](matrix-org/matrix-react-sdk#6892)). * Allow closing Dropdown via its chevron ([\element-hq#6885](matrix-org/matrix-react-sdk#6885)). Fixes element-hq#19030 and element-hq#19030. * Improve AUX panel behaviour ([\element-hq#6699](matrix-org/matrix-react-sdk#6699)). Fixes element-hq#18787 and element-hq#18787. Contributed by [SimonBrandner](https://github.com/SimonBrandner). * A nicer opening animation for the Image View ([\#6454](matrix-org/matrix-react-sdk#6454)). Fixes element-hq#18186 and element-hq#18186. Contributed by [SimonBrandner](https://github.com/SimonBrandner). * [Release] Fix space hierarchy pagination ([\element-hq#6910](matrix-org/matrix-react-sdk#6910)). * Fix leaving space via other client leaving you in undefined-land ([\element-hq#6891](matrix-org/matrix-react-sdk#6891)). Fixes element-hq#18455 and element-hq#18455. * Handle newer voice message encrypted event format for chat export ([\element-hq#6893](matrix-org/matrix-react-sdk#6893)). Contributed by [jaiwanth-v](https://github.com/jaiwanth-v). * Fix pagination when filtering space hierarchy ([\element-hq#6876](matrix-org/matrix-react-sdk#6876)). Fixes element-hq#19235 and element-hq#19235. * Fix spaces null-guard breaking the dispatcher settings watching ([\element-hq#6886](matrix-org/matrix-react-sdk#6886)). Fixes element-hq#19223 and element-hq#19223. * Fix space children without specific `order` being sorted after those with one ([\element-hq#6878](matrix-org/matrix-react-sdk#6878)). Fixes element-hq#19192 and element-hq#19192. * Ensure that sub-spaces aren't considered for notification badges ([\element-hq#6881](matrix-org/matrix-react-sdk#6881)). Fixes element-hq#18975 and element-hq#18975. * Fix timeline autoscroll with non-standard DPI settings. ([\element-hq#6880](matrix-org/matrix-react-sdk#6880)). Fixes element-hq#18984 and element-hq#18984. * Pluck out JoinRuleSettings styles so they apply in space settings too ([\element-hq#6879](matrix-org/matrix-react-sdk#6879)). Fixes element-hq#19164 and element-hq#19164. * Null guard around the matrixClient in SpaceStore ([\element-hq#6874](matrix-org/matrix-react-sdk#6874)). * Fix issue (https ([\element-hq#6871](matrix-org/matrix-react-sdk#6871)). Fixes element-hq#19138 and element-hq#19138. Contributed by [psrpinto](https://github.com/psrpinto). * Fix pills being cut off in message bubble layout ([\element-hq#6865](matrix-org/matrix-react-sdk#6865)). Fixes element-hq#18627 and element-hq#18627. Contributed by [robintown](https://github.com/robintown). * Fix space admin check false positive on multiple admins ([\element-hq#6824](matrix-org/matrix-react-sdk#6824)). * Fix the User View ([\element-hq#6860](matrix-org/matrix-react-sdk#6860)). Fixes element-hq#19158 and element-hq#19158. * Fix spacing for message composer buttons ([\element-hq#6852](matrix-org/matrix-react-sdk#6852)). Fixes element-hq#18999 and element-hq#18999. * Always show root event of a thread in room's timeline ([\element-hq#6842](matrix-org/matrix-react-sdk#6842)). Fixes element-hq#19016 and element-hq#19016.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Over on https://riot.im/desktop.html it says to download and enable the public signing key with
curl -L https://riot.im/packages/debian/repo-key.asc | sudo apt-key add -to install riot on Ubuntu.I took a look at
man 8 apt-keyand found the following passage:"It is critical that keys added manually via apt-key are verified to belong to the owner of the repositories they claim to be for otherwise the apt-secure(8) infrastructure is completely undermined."
It seems critical that this need to somehow verify the downloaded public key isn't addressed on that site at all.
It is my opinion that the need to verify should be addressed on https://riot.im/desktop.html and easy to follow step-by-step instructions should be available there, or at least be referenced and linked to there.
These instructions could be about how one finds a chain of trusted signed PGP keys to the downloaded public key and verifies that, or they could be something as simple as posting the fingerprint on https://riot.im/desktop.html and simple instructions on how to verify the fingerprint before enabling it for use with apt.
I realize that this might still a security vulnerability, because one might be served a version of https://riot.im/desktop.html that has been maliciously modified to show a different fingerprint, but https should help prevent that, and this seems better than enabling the downloaded key for apt signing without any verification whatsoever.
The text was updated successfully, but these errors were encountered: