Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The GPG key ID is outdated in the RPM signature verification output #93

Closed
gonzalo-bulnes opened this issue Dec 21, 2021 · 0 comments · Fixed by #94
Closed

The GPG key ID is outdated in the RPM signature verification output #93

gonzalo-bulnes opened this issue Dec 21, 2021 · 0 comments · Fixed by #94

Comments

@gonzalo-bulnes
Copy link
Contributor

gonzalo-bulnes commented Dec 21, 2021
edited
Loading

Currently

The docs reference a GPG key (2359E6538C0613E652955E6C188EDD3B7B22E6A3) as the SecureDrop Release key, but when using it to verify the authenticity and integrity of the securedrop-workstation-dom0-config package, the expected output references a different key, which ID ends in 00f4ad77.

securedrop-workstation-dom0-config-<versionNumber>-1.fc25.noarch.rpm:
  Header V4 RSA/SHA256 Signature, key ID 00f4ad77: OK
  Header SHA1 digest: OK
  V4 RSA/SHA256 Signature, key ID 00f4ad77: OK
  MD5 digest: OK

Expected

Since the package verification output MUST match the documentation before the reader proceeds with the installation, the documentation should reference the 7b22e6a3 key consistently.

Context

The SecureDrop release key was recently updated, and the most recent key is indeed 7b22e6a3.
See freedomofpress/securedrop-workstation#700
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix outdated reference to SecureDrop Release key freedomofpress/securedrop-workstation-docs
1 participant
@gonzalo-bulnes